Auto 2FA

[TheMaxik]

I'm always frustrated when i forgot about the Miner and lost multiple hours because it restartet and wanted a new 2FA code

There is a Library called pyotp i used wayback for my bot. There you can give it your secret and it can generate the 2fa code on its own. You would need to extract the code from the QR-Code when setting up 2fa but thats doable

[rdavydov]

Could you please elaborate. It looks like pyotp is for checking the authentication when you are making your own server app. How can it replace a client's Authenticator app to authenticate on another website?

[TheMaxik]

totp = pyotp.TOTP(secret); And tfa = totp.now();

Hope this helps

[rdavydov]

This doesn't help at all, I saw the example too. I think you just copied and modified it.

How can it replace a client's Authenticator app to authenticate on another website (in our case, Twitch)? Because it is not for a client, it is for a server!

You mentioned that you used pyotp with your bot. How exactly? Could you please provide some real code from that bot related to pyotp?

[TheMaxik]

Yeah that how i exactly did it. This wasnt from an example but it was from my code.

import pyotp def getTwoFactor(): totp = pyotp.TOTP(secret); tfa = totp.now(); print(f"Current 2FA: {tfa}"); return tfa;'

How i used it exatcly: I went to the twitch 2fa site and generated a new QR code for my phone. While scanning it, I also used a QR-Code decription site to extract the secret that i then added to my code

[rdavydov]

What's the point in doing that? Please show the full code how you're using tfa after that.

[TheMaxik]

def Login(): print("Opening Login Page") ... Login in with username

... Waiting for Capcha... And Trying to solve it

print("Generating 2FA Code")
twofactor = getTwoFactor();

print("Waiting for 2FA Field to appear"); try: tfaField = WebDriverWait(driver,30).until(EC.presence_of_element_located((By.XPATH,'//input[@autocomplete="one-time-code"]'))) tfaField.send_keys(twofactor);

The Point of my bot was, that if i restarted the machine or the bot itself, it would login again (without cookie) and generate its own 2fa code so that i didnt have to go into the console.

[EastArctica]

Hi @rdavydov,

It seems like there's a general misunderstanding of how TOTP Codes work. I understand this issue is almost 2 years old, but I figure you might at least find it interesting or helpful at some point! I'd like to preface this by saying I am not anybody special with TOTP, I simply understand how it generally works so I could be entirely wrong about all of this.

There are multiple different primary ways that you can do OTP code generation. The most popular solution is TOTP which is a "Time-based one-time password". This is primarily seen in verification or 2FA codes. When the server (Twitch for example) initially has a user set up, they generate a TOTP secret, as far as I know this secret can be any string. This secret is then run through a SHA-1 hash¹ to generate a unique but consistent hash. With this hash, a simplification of how it works is hash + floor(epoch() / 30_000) to get a hash plus the current epoch rounded down to 30 seconds^2,3. This hash is then used with some algorithm that I don't know to generate a usually 6 digit code.⁴ When twitch generates this secret, they generate a string like this: otpauth://totp/Label%20Here?secret=random-secret-value&issuer=Issuer%20Here&algorithm=SHA256&digits=6&period=10. This string is then simply put into a QR code and scanned by clients. When those clients get that string, they save it and run the algorithm described before on it. Both the client and the server can then generate that code and that's how verification is done.

So, now that you might've understood some of that I'll try to explain how we use this. On some authenticator apps, you can see more information about your 2FA codes, such as the secret itself. While other apps such as google authenticator only let you rename the issuer or label. To get the secret on these other apps we have to take another approach. If we go on the website and go to reset our 2FA (usually just by removing it and adding it back) it should show us that QR code again. You might remember that when you scan the QR code, the website usually then makes you hit a button and enter the current code to confirm you have it. So, all we have to do is add that code to our app and then also make sure to store a copy of that qr code so we can extract the original string, and therefore our secret, from it! We can then throw that secret into something like the twitch channel points miner, and it can generate those codes for us!

Anyways, I'm really high and it's 12:30 AM so I'm going to sleep now.

Let me know if you have any questions, East_Arctica

¹ Usually SHA-1 but SHA-256 and 512 are both supported in some apps and is seen very rarely in the wild. I am unsure whether this is actually within the spec or not. ² The period of time can also be any period of time but is 30 seconds by default. ³ What epoch to start the codes based off, ex. first code ends at 00:00:30 January 1 1970 (UTC) ⁴ The length which can be either 6 to 10 digits (default 6, I think 6-8 are recommended? idk why).