Does This Work With AWS MFA?
limitedAtonement opened this issue · 2 comments
AWS appears to support "Other hardware MFA device"s:
Then it prompts me thus:
At first I thought this looks great. I entered "youstupid" for the serial number, ran the application using echo youstupid | ./totp twice and entered the two generated tokens, then I get
I tried with many more serial numbers, but none of them have worked. Any ideas how to get this working on AWS? Is AWS expecting an Amazon-issued hardware device?
Oh yes, I should add that it doesn't seem to matter what generated keys I put in; it's not validating the keys. The serial number fails validation, then I can put in any keys I want and I get the same failure.
I did some research and I was able to make it work. Instead of "Other hardware MFA device" (that would require buying a Thales device), choose Virtual MFA Device. When AWS gives you its secret, realize it's a binary secret (not utf-8) and it's base32-encoded. Base32-decode that key and save it to a file (I'll call the file base32): https://emn178.github.io/online-tools/base32_decode_file.html. Feed this key into totp to generate your tokens:
./totp < base32;
If you want the token on your clipboard:
result=$(./totp < base32);
xsel -b <<< "$result";
echo "$result";
or whatever. Rock on!