oktagoogle-authenticator

Possible to script Google Authenticator codes


I have an Okta user with 2FA using google authenticator app on my phone, I have been looking into some code to automate this so I don't have to check my phone. I was hoping this could be done through a cmd line script.

I see this script https://github.com/grahammitchell/google-authenticator however I would need to know the user (which I believe to be my okta username) and secret (this I am not sure where I could pull this, perhaps I can generate a new one?)

I guess my question would be is this possible?


Solution

  • Yes you can (but you probably shouldn't). When you add a code / site whatever in Google Authenticator (or any TOTP code generator) it takes a symmetric secret (ie a passphrase) and uses that + the time to generate the 6 digit code. The IdP saves the same secret and uses the same TOTP protocol to generate the codes.

    Provided the time is the same, the codes the IdP generate are the same as the code your phone generates and you proved you know the secret.

    The trick is to get the underlying secret when enrolling the device into MFA and save this somewhere you can use it to generate the codes.

    Once you have the QR code you can read the secret from it using python, eg: How to decode a QR-code image in (preferably pure) Python?

    Then the script you linked can generate the codes.

    When would you do this?

    I have done this in the past to automate testing of various IdP functionality like enrolling into MFA, authenticating and so on.

    When would you never do this?

    If this is a normal account, like your gmail / some SaaS you use for work / something that is important, then this approach is a terrible idea. The idea behind MFA is that you have:

    It is undermining the security offered by the second factor. If they steal your password or somehow access your device, they still need to take over the other factor to access important services, but if you keep that secret on the same device they just got access to then you might as well have handed them your phone too.