2025 Resolutions  • • •        all posts in Archive

CLI for Microsoft MFA Authentication

Microsfot Authenticator

Company is swtiching from RSA SecurID Token to Microsoft Multi-Factor Authentication, Microsoft provide many ways to support Multi-Factor Authentication ( MFA ), you can install MS Authenticator App on Phone, using Outlook App, SMS messages … but the best is still able to through CLI which make it possible to integrate with other Schell Script files, and no need to pickup your phone.

Previous tools like stoken is not working anymore, we need a new setup for it. check RSA implementation at here.

Step 1: Install TOTP

We need regist our Terminal Tool to Microsoft as the same as a Phone Application, basically we just need a tool for supporting TOTP ( Time-based one-time password ), here choose oathtool.

For MacOS:

➜ brew install oath-toolkit

To generate a time-based OTP (most common for 2FA):

➜ oathtool --base32 --totp  <YOUR_SECRET_KEY_IN_BASE32>

For example, If your Base32 secret key is GEZDGNBVGY3TQOJQ, run following command will generate the token:

➜ oathtool --base32 --totp GEZDGNBVGY3TQOJQ
272419

Step 2: Regist Oathtool to Microsoft

  1. Go to: https://mysignins.microsoft.com/security-info
  2. Click “Add sign-in method”
  3. Click “Microsoft Authenticator”
  4. Click “I want to use a different authenticator app” -> “Next” -> “Can’t scan image?” -> Will display Account name and Secrect key ( store Secrect Key safely for later usage )
  5. Click “Next” button, will display a dialogue waiting for “Enter the 6-digit code shown in the Authenticator app”
  6. Use oathtool to generate the 6 digits token mentioned in Step 1, then enter and click Next
  7. You should now see “Authenticator app was successfully registered” and TOTP will be shown in security-info page:

Regist TOTP

Step 3: Use Token

Now when login to MS MFA, choose “Use a verification code”, and use the token generated from oathtool in Step 1.

Use MS Token

Step 4: Alfred Integration

To use it easier, we can create a Alfred Workflow:

MS Alfread Workflow

The Script FIlter with following:

ms_stoken=$(echo | oathtool --base32 --totp GEZDGNBVGY3TQOJQ | tr -d '\n')

cat<<EOB
<?xml version="1.0"?>
<items>
<item uid="mstoken" arg="$ms_stoken">
<title>MS Token: $ms_stoken</title>
<subtitle>Press Enter to paste, or Cmd+C to copy</subtitle>
<icon>icon.png</icon>
</item>
</items>
EOB

References