DOKK / manpages / debian 10 / python-yubico-tools / yubikey-totp.1.en
yubikey-totp(1) General Commands Manual yubikey-totp(1)

yubikey-totp - Produce an OATH TOTP code using a YubiKey

yubikey-totp [-v] [-h] [--time | --step] [--digits] [--slot] [--debug]

OATH codes are one time passwords (OTP) calculated in a standardized way. While the YubiKey is primarily used with Yubico OTP's, the YubiKey is also capable of producing OATH codes.

OATH generally comes in two flavors -- event based (called HOTP) and time based (called TOTP). Since the YubiKey does not contain a battery, it cannot keep track of the current time itself and therefor a helper application such as yubikey-totp is required to effectively send the current time to the YubiKey, which can then perform the cryptographic calculation needed to produce the OATH code.

Through the use of a helper application, such as yubikey-totp, the YubiKey can be used with sites offering OATH TOTP authentication, such as Google GMail.

enable verbose mode.
show help
specify the time value to use (in seconds since epoch)
how frequent codes change in your system - typically 30 or 60 seconds
digits in OATH code - typically 6
YubiKey slot to use - default 2
enable debug output

The YubiKey OATH TOTP operation can be demonstrated using the RFC 6238 test key "12345678901234567890" (ASCII).

First, program a YubiKey for HMAC-SHA1 Challenge-Response operation with the test vector HMAC key :

$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -o serial-api-visible \
	-a 3132333435363738393031323334353637383930

Now, send the NIST test challenge to the YubiKey and verify the result matches the expected :

$ yubikey-totp --step 30 --digits 8 --time 1111111109
07081804
$

Report yubikey-totp bugs in the issue tracker ⟨URL: https://github.com/Yubico/python-yubico/issues/ ⟩.

YubiKeys can be obtained from Yubico ⟨URL: http://www.yubico.com/ ⟩.

June 2012 python-yubico