pass-otp

Prompt for an otpauth URI token and create a new pass file

Prompt for an otpauth URI token and append to an existing pass file
Print a 2FA code using the OTP token in a pass file
Copy and don't print a 2FA code using the OTP token in a pass file
Display a QR code using the OTP token stored in a pass file
Prompt for an OTP secret value specifying issuer and account (at least one must be specified) and append to existing pass file

pass otp show [-c] password-entry
pass otp generate [-i] password-entry
pass otp uri add [-q|-s] password-entry [URI]
pass otp uri edit [-q|-s] password-entry [URI]
pass otp uri remove password-entry

password-entry
    The name or path of the password entry in the pass store where the OTP secret is stored or will be stored.

-c, --clip
    For the show command, copy the generated OTP to the system clipboard instead of printing it to standard output.

-i, --increment
    For the generate command, this option is used with HOTP (HMAC-based One-Time Password) to increment the counter before generating the next OTP, crucial for HOTP's stateful nature.

-q, --qr-scan
    For uri add and uri edit, scan a QR code from the screen or a specified image file to extract the otpauth:// URI. Requires an external QR scanning utility like zbarimg.

-s, --stdin
    For uri add and uri edit, read the otpauth:// URI from standard input, allowing piping from other commands or manual input.

[URI]
    An optional otpauth:// URI directly provided as an argument for uri add or uri edit. If not provided, the command may prompt for it or expect input via -q or -s.

pass-otp is a powerful extension for the pass (password-store) command-line password manager. It integrates seamlessly to allow users to store, retrieve, and generate Time-based One-Time Passwords (TOTP) and HMAC-based One-Time Passwords (HOTP) directly within their encrypted password store.

This extension leverages pass's existing GPG encryption to secure OTP secrets alongside your regular passwords, providing a centralized and secure solution for managing all your authentication credentials. Users can add OTP secrets either manually (e.g., as otpauth:// URIs) or by scanning QR codes, and then generate the current valid OTP directly from the command line, optionally copying it to the clipboard.

pass-otp enhances the usability of two-factor authentication (2FA) by making it as accessible and convenient as retrieving any other password from your pass repository, promoting better security practices without sacrificing ease of use. It's an essential tool for anyone relying on pass for comprehensive secret management.

Dependencies: pass-otp requires the main pass (password-store) application to be installed. For QR code scanning (-q), an external utility like zbarimg is necessary.
Secret Storage: The OTP secret (e.g., the base32 key in an otpauth:// URI) is stored as plaintext within the encrypted pass entry file. Its security relies entirely on the strength of your GPG encryption and passphrase.
Time Synchronization: For TOTP (Time-based One-Time Passwords), accurate system time synchronization is crucial. Skewed clocks can lead to invalid OTPs.
Hotp Counter: When using HOTP, ensure you understand and correctly manage the counter. Incorrectly incrementing or failing to increment it can lead to synchronization issues with the authenticator.

pass-otp typically stores the OTP secret within the pass entry file itself. The most common method is by adding an otpauth:// URI on a new line within the password file. For example, a file might contain:

MySecretPassword
otpauth://totp/Example:user@example.com?secret=JBSWY3DPEHPK3PXP

When you run pass otp show MyEntry, pass-otp reads this URI, extracts the secret, and generates the current OTP. This approach keeps your OTP secrets encrypted alongside your passwords.

pass-otp emerged as a community-driven extension to the popular pass password manager. Recognizing the growing need for robust two-factor authentication (2FA) solutions and the desire to keep all sensitive credentials within a single, GPG-encrypted repository, developers created this script to seamlessly integrate OTP management. Its development has mirrored the evolution of 2FA standards, adapting to support both TOTP and HOTP protocols. Over time, it has become one of the most widely used and essential extensions for pass users, solidifying pass's position as a comprehensive command-line secret management tool.

pass(1), gpg(1), zbarimg(1), qrencode(1)