Time-based one-time password (TOTP)

Hello everyone,
I've been a bit MIA lately. Between a new job and the first semester of my studies, I've been swamped. While I've missed coding and hacking on HTB, I'm excited about the new challenges and knowledge I'm gaining. My boss has been a fantastic resource, always patient and insightful with my questions.

As I was reflecting on my digital security, I realized a crucial vulnerability: my reliance on online TOTP services like Google Authenticator and Microsoft Authenticator. While these services are convenient, they introduce a significant attack surface.

Determined to enhance my security without breaking the bank, I sought a DIY solution. The idea was simple: create a script that generates TOTP codes offline. I initially struggled to recall the necessary coding knowledge, but thanks to ChatGPT, I was able to quickly put together a basic script.
Implementation:

1. Obtain the Secret Key: When you set up 2FA, you're provided with a QR code and a secret key. This key is the crucial piece of information.
2. Create a Secure Storage: I used VeraCrypt to encrypt a storage container on my hard drive and USB stick. This ensures that even if my devices are compromised, the secret key remains protected.
3. Run the Script: Periodically, I'll run the script from the encrypted storage, input the secret key, and generate the required TOTP codes.

import pyotp

# Replace with your TOTP secret key
secret = "YOUR_TOTP_SECRET"

# Generate TOTP code
totp = pyotp.TOTP(secret)
print("Your TOTP code is:", totp.now())

                        

While this approach requires a bit more effort, it significantly reduces the risk of a security breach. Remember, there's no 100% security, but by taking proactive measures, we can bolster our digital defenses. I encourage you to consider implementing a similar strategy to safeguard your most critical accounts.