I do not want anything to do with this, but I imagine I'm about to be railroaded into it anyway.

It's bad enough that so many web sites are starting to assume I must have my phone handy and I must have cell service where I'm sitting. I didn't want to give them my phone number in the first place but now they're SMSing me before letting me in, and if I happen to be out in the boonies, unable to receive their six-digit code... they don't have a solution for that.

No one thinks SMS is a good idea. That's why most competent places are pushing time based one time passwords, or some kind of cert based push method.

ThunderSizzle

Which also assumes I have a particular device or service open. My randomly generated offline passwords should be sufficient security.

mmh0000

If you want the quickest and dirtiest solution to your problem, then oathtool is for you:

  $ oathtool --totp -b "S3GXITTAZXNN4LCPXWQREDYBIE"
  646063

Otherwise, most password managers, i.e. Bitwarden, have integrated TOTP support.

mooreds

Do you store the secret in your password manager?

When a password manager has both the password and the secret for TOTP, that always seemed like it degraded the concept of multi-factor authentication to me.

secabeen

Personally, I don't, I explicitly and intentionally keep my Email, Password Manager and 2FA providers all distinct and separate. (This was very useful for extracting the TOTP secret out of the Symantec VIP 2FA system: https://github.com/dlenski/python-vipaccess)

At work, we do for non-person accounts. It's non-ideal, but I don't want to manage two separate systems for storing that data and trying to keep them in sync. The password vault system itself has a hard requirement for 2FA to download the vault.