TOTP (Time-based One-Time Password) support has been added in WeeChat, which can now generate and check TOTP validity.
A TOTP is generated with:
- the secret (encoded in base 32),
- the time (by default 0, which is the current time),
- the number of digits (4 to 10 digits are supported, 6 is the default and recommended value).
Relay plugin
The TOTP can be used as second authentication factor in the relay plugin, with two new options:
- relay.network.totp_secret: the TOTP secret, encoded in base 32
- relay.network.totp_window: the allowed window: number of TOTP allowed before and after the current time window.
For example to set the secret using secured data (just replace "xxxxx" by your secret in base 32):
/secure set relay_totp_secret xxxxx
/set relay.network.totp_secret "${sec.data.relay_totp_secret}"
Then your relay client must support and send the TOTP value, in addition to the password, in the "init" command:
init password=secretpassword,totp=123456
If the password is valid and that TOTP is valid for the current time, the authentication is successful.
Infos / eval
You can also generate or validate TOTP with two new infos in WeeChat:
- totp_generate: generate a TOTP
- totp_validate: validate a TOTP
For example to show the value of TOTP for the secret "secretbase32", current time, with 6 digits:
/eval -n ${info:totp_generate,secretbase32,0,6}
Documentation
You can read more about TOTP in the docs: