How to Use the Command 'pass otp' (with examples)
The ‘pass otp’ command is a powerful extension to the ‘pass’ password manager, designed for managing one-time passwords (OTPs). These OTPs are often used as a secondary method for authentication in two-factor authentication (2FA) systems, providing an additional layer of security to safeguard accounts. With ‘pass otp’, users can handle OTP tokens efficiently, generating 2FA codes, appending OTP data to pass files, and more, all within a secure and streamlined environment.
Use case 1: Prompt for an otpauth URI token and create a new pass file
Code:
pass otp insert path/to/pass
Motivation:
Creating a new pass file with an OTP token is essential for users who are setting up two-factor authentication for the first time for a particular account. This operation ensures that a secure and unique OTP token is generated and stored in a dedicated file, which can easily be accessed later to retrieve time-sensitive authentication codes.
Explanation:
pass otp
: Initiates the ‘pass otp’ command to interact with OTP tokens.insert
: This argument specifies that a new pass file is being created to store an OTP token.path/to/pass
: This path indicates where the new pass file should be stored within your designated password storage system. It allows the user flexibility in organizing their authentication credentials.
Example output:
otpauth URI token: <Now insert the token>
Upon executing the command, the user is prompted to insert the OTP authenticator URI token, which typically contains the secret and other metadata necessary for OTP generation.
Use case 2: Prompt for an otpauth URI token and append to an existing pass file
Code:
pass otp append path/to/pass
Motivation:
Appending an OTP token to an existing pass file is useful when you want to consolidate multiple tokens within the same file. This might be the case if one service provides multiple OTP tokens for different access levels or accounts. Streamlining tokens this way can aid in organization and manageability.
Explanation:
pass otp
: Initiates the ‘pass otp’ command.append
: Specifies that the OTP token is being appended to an already existing pass file rather than creating a new one.path/to/pass
: This path points to the current pass file where the new OTP token will be added.
Example output:
otpauth URI token: <Now insert the token>
Similar to the insert command, the user will be prompted to insert the new OTP token, effectively appending it to the specified existing file.
Use case 3: Print a 2FA code using the OTP token in a pass file
Code:
pass otp path/to/pass
Motivation:
When you need to log into a service that requires two-factor authentication, having quick access to your 2FA code is crucial. This command allows the user to instantly output the current time-based 2FA code associated with the stored token, making secure access fast and smooth.
Explanation:
pass otp
: Calls the ‘pass otp’ command to generate a 2FA code.path/to/pass
: Directs the command to the appropriate pass file which contains the OTP token needed to generate the correct 2FA code.
Example output:
123456
The output will display the current 2FA code which is valid for a predefined short time window, typically around 30 seconds.
Use case 4: Copy and don’t print a 2FA code using the OTP token in a pass file
Code:
pass otp --clip path/to/pass
Motivation:
Instead of printing a 2FA code, which could inadvertently be seen by others, copying it directly to the clipboard ensures that the code is shared only with the applications you paste it into. This is particularly beneficial in environments where visual exposure of sensitive data could be risky.
Explanation:
pass otp
: Initiates the process of retrieving an OTP token.--clip
: This option specifies that the 2FA code should be copied to the clipboard instead of being printed out in the terminal.path/to/pass
: Specifies which pass file contains the desired OTP token for generating the 2FA code.
Example output:
Copied 2FA code to clipboard.
No code is visibly printed, maintaining the security of the OTP until it is pasted.
Use case 5: Display a QR code using the OTP token stored in a pass file
Code:
pass otp uri --qrcode path/to/pass
Motivation:
Displaying a QR code is extremely helpful when setting up 2FA apps on mobile devices. It allows users to scan the QR code directly from their device for easier setup, avoiding manual entry of sensitive information.
Explanation:
pass otp uri
: Retrieves the OTP token in URI format, which encodes all the necessary data for generating OTPs.--qrcode
: Converts the URI into a QR code displayed in the terminal.path/to/pass
: Directs the operation to the correct file containing the needed OTP token.
Example output:
██████████████████████████
████ ▄▄▄▄▄ █ ▄▄▀█ █ ███ █
█████ ███ █▄▄█▄▀▀██ ▀▀ ▀█
█████ ▀▀█ █▄█▀▄▀█ ▀███ █
████▄█▄██▄█ ▀ ▀▄█ █▀ ███
███████ ▀█▄ ▀ █ ▀ █▄▄▄▀█
████▄▄▄▄▄ █▀▄ ▀ ▀ █ █ ██
████ ▄▄▄ ███▀▄ ▄██▀█▄▀█▀
████▄▄▄▀ ▀▄ ▄ █▄▄ ▀ █ █
████▀▀ █▄█▄██▄▀▄█▀▀█▀ ██
█████████████████████████
The terminal renders a QR code image that can be utilized with a compatible OTP application.
Use case 6: Prompt for an OTP secret value specifying issuer and account (at least one must be specified) and append to existing pass file
Code:
pass otp append --secret --issuer issuer_name --account account_name path/to/pass
Motivation:
Specifying an issuer and account along with an OTP secret is useful for personal organization and clarity, especially when multiple OTP entries are stored. This detailed labeling aids in quickly identifying which service and account the OTP relates to and can enhance security by avoiding misapplication.
Explanation:
pass otp
: Calls the OTP management functions.append
: Indicates that additional OTP data should be added to an existing pass file.--secret
: Prompts the user to enter the OTP secret directly, rather than as a URI.--issuer issuer_name
: (Optional) Labeling the OTP with a particular issuer clarifies which service it’s associated with.--account account_name
: (Optional) Similarly, specifying the account can help differentiate between multiple instances or users.path/to/pass
: Ensures the new OTP information is appended to the desired file.
Example output:
OTP secret: <Now insert the secret>
The user provides the OTP secret manually, and this information, along with the specified issuer and account details, is appended to the chosen file.
Conclusion:
The ‘pass otp’ command is a versatile tool in the realm of security, allowing users to efficiently manage OTP tokens for secure two-factor authentication. By leveraging various functionalities, users can securely generate, append, and access OTP-related information, streamlining their authentication processes while ensuring data remains organized and secure. From generating 2FA codes to managing QR codes and appending secret information, ‘pass otp’ serves as a comprehensive solution for modern security needs.