A simple tool that uses FIDO2's hmac-secret
extension to create resident credentials and static challenge responses to encrypt TOTP secrets. The secrets are stored using the D-Bus Secret Service API (GNOME Keyring) and decrypting and deriving TOTP tokens requires user verification.
Inspired by SoloKey and tested with OpenSK
-
Store base32 TOTP secret encrypted with the security key's static response in the keyring
fido2otp push my-service NZKHGK6DVNZSEY56
-
Generate TOTP token for my-service. Requires user verification.
fido2otp get my-service