Small Python script to simulate YubiKey hardware tokens (only the Yubico OTP standard) for security-theater websites that require two-factor authentication but do not support standard TOTP/HOTP methods.
Loosely based on the YubiOTP Python library but intended mostly for generating passcodes.
The script requires Python 3 and any of the following cryptographic libraries:
- PyCryptodome
- cryptography
- pyaes (small pure-Python AES implementation)
At least one of the first two might be already installed in your system, since they are used by many other Python programs. If not, installing the third would be the best option.
To run the script simply by name, place it somewhere in PATH and set executable permissions; otherwise use python yksim ... (adding the path(s) if needed).
Run yksim --help to see the general command-line format, then yksim init --help to see how to create a new key and yksim gen --help about generating an OTP using a key.
Keys are stored in plain-text files with extension .yk added to the key name. The file name is relative to the CWD, so the key name some/thing means the key file thing.yk in the subdirectory some. When executing the script from arbitrary directories, use absolute paths or shell expansions.
This script prints the generated OTP to stdout. The simplest scenario is to copy the result from the terminal and paste it wherever needed. Copying to clipboard can be automated using xclip:
yksim [name] gen | xclip -selection clipboardIf the security-theater website does not allow pasting and requires "typing" the OTP (like the hardware YubiKey works), this can be done using xdotool:
yksim [name] gen | xdotool type --clearmodifiers --file -(you will need to add some extra xdotool options to select the window into which to type and maybe adjust --delay). For convenience, these commands can also be assigned, for example, to some keyboard shortcut in your desktop environment / window manager.
MS Windows users can achieve similar functionality using python yksim [name] gen | clip and/or something like AutoHotkey.
Since the main purpose is to circumvent security-theater measures, the key files are not protected besides having read/write permissions for the user only. If more security is needed, the files must be stored in some encrypted storage. Keep in mind that they must be user-writable in order to update the usage counter.
Be careful with backups: if a key was used after making a backup, restoring it from the backup will result in a key with an outdated usage counter, so using an OTP generated by it might (actually, must) be detected as a replay attack. To avoid this, generate and discard at least as many OTPs as were used since the backup (or manually increase usage_counter in the key file by the necessary amount) before using it for authentication.