TOTP (Time-based One-Time Password) support has been added in WeeChat, which can now generate and check TOTP validity.

A TOTP is generated with:

• the secret (encoded in base 32),
• the time (by default 0, which is the current time),
• the number of digits (4 to 10 digits are supported, 6 is the default and recommended value).

Relay plugin

The TOTP can be used as second authentication factor in the relay plugin, with two new options:

• relay.network.totp_secret: the TOTP secret, encoded in base 32
• relay.network.totp_window: the allowed window: number of TOTP allowed before and after the current time window.

For example to set the secret using secured data (just replace "xxxxx" by your secret in base 32):

/secure set relay_totp_secret xxxxx
/set relay.network.totp_secret "${sec.data.relay_totp_secret}"

Then your relay client must support and send the TOTP value, in addition to the password, in the "init" command:

init password=secretpassword,totp=123456

If the password is valid and that TOTP is valid for the current time, the authentication is successful.

Infos / eval

You can also generate or validate TOTP with two new infos in WeeChat:

• totp_generate: generate a TOTP
• totp_validate: validate a TOTP

For example to show the value of TOTP for the secret "secretbase32", current time, with 6 digits:

/eval -n ${info:totp_generate,secretbase32,0,6}

Documentation

You can read more about TOTP in the docs:

• user's guide: TOTP in relay plugin
• API reference: infos "totp_generate" and "totp_validate".