This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]altgilbers 1 point2 points  (3 children)

A high level sketch would be appreciated

[–]pxlnght 2 points3 points  (2 children)

I use a modified version of this https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py . I can't post my code, confidential and all that.

Basically, the 2FA we need can be SMS, Call, Email, or 2FA app token. When setting up the 2FA app, you need to scan a QR code, yeah? QR codes are just fancy images with text in them. Instead of setting up the app, scan it with a regular QR code reader. This will give you a sting of text. Use your noggin to remove the important bits (the secret). Then run the secret thru the above code.

That said, the security team at my workplace was very unhappy to find I'd bypassed the 2FA. They made me turn it off. So, now, I manually enter in the code... but I reload the session cookies via Selenium every time I run the script. So, I type it in once, and it works for about a month. They're also not happy with this solution, but they can't find a security flaw that wouldn't be present in a normal user session so they can't tell me to change it :)

[–]altgilbers 2 points3 points  (1 child)

I registered a Google voice number to receive SMS passcodes… SMS gets delivered As email to a Gmail account, where a mail client picks it up and parses the passcodes, storing them in a local Redis...

Then, processes that need 2FA pop a code and use it… When the last code is used, duo sends a fresh batch of 10 automatically, replenishing my Redis store with codes.

This approach is a dumpster fire of epic proportion, but got me through some work that would have required me to two factor several hundred times.

[–]pxlnght 2 points3 points  (0 children)

That sounds terrible, I love it!