Microsoft Two-Factor Authentication on Linux & Unix

              




        Microsoft Two-Factor Authentication on Linux & Unix
                            2020-09-19


1.  Introduction

The University of Western Australia has recently implemented strict
requirements  to  use  Two-Factor authentication when accessing any
Microsoft-authenticated services from off campus, such as  Webmail,
Onedrive  and  the  Learning Management System.  Unfortunately they
have also disabled the use of App Passwords, breaking compatibility
with older  email  clients,  and  have  also  disabled  alternative
authentication  methods,  such  as email. This is a problem if your
phone is flat, broken or otherwise unavailable.

There is an easy solution though if you're on Unix or Linux in  the
form of Oathtool.

2.  Installing Oathtool

Oathtool  can  be installed via brew on Mac, or apt on Debian-based
systems.

    ___________________________________________________________

    brew install oath-toolkit
    apt-get install oathtool
    ___________________________________________________________



3.  Getting your 2FA Key

Go to https://aka.ms/mfasetup, and follow the  normal  process  for
adding  an  additional authentication method. If this is your first
time setting up 2FA, you will be forced to  add  an  authentication
method.  If you already have an authenticator added, head to [Secu-
rity Info] -> [Add method], and choose  [Authenticator  app].  When
prompted,  hit  "I want to use a different authenticator app", then
"Can't scan image?". This will generate a secret key and display it
on the screen:

    ___________________________________________________________

    Scan the QR code
    Use the authenticator app to scan the QR code. This will connect your authenticator app with your account.

    After you scan the QR code, choose "Next".

    Authenticator App Scan Icon
    Can't scan image?
    Enter the following into your app:

    Account name:  The University of Western Australia:12345678@student.uwa.edu.au
    Secret key:  zgcypvf4q5ghh3qf
    ___________________________________________________________


The secret key is the part that's required to generate  future  One
Time Passwords.  This can be done with the following command:

    ___________________________________________________________

    $ oathtool --totp -b zgcypvf4q5ghh3qf
    472894
    ___________________________________________________________


To make this easy, I've added it as an alias to my ~/.bash_rc:

    ___________________________________________________________

    alias uwa="oathtool --totp -b zgcypvf4q5ghh3qf"
    ___________________________________________________________


Now,  when  you need to sign-in to UWA services, just type "uwa" at
the command prompt - no phone necessary!