Send only the secret (seed) of HOTP, TOTP via sms

Hi there,

we want to use the SMS gateway to send the secret of TOTP and HOTP tokens to the owner. At the moment I have configured it as follows:

This is the event handler:

event “token_init”
handlermodule “UserNotification”
position “post”
condition “tokentype totp,hotp”
action “sendsms”
to “tokenowner”
body “Hello, here is your secret: {googleurl_value} Best Regards…”
smsconfig “SMS-Gateway”

that works quite well so far, there are only two problems:

  • iOS has a kind of bug since version 15, which is why the iphone always opens apple’s password manager instead of the authenticator, which of course cannot do anything with the link. (it worked before)
  • on android i can’t open the link at all

so you would have to cut out the secret from the url manually and copy it into the authenticator app.

Now I wanted to ask: is there a way to only send the secret instead of the KEY URI? I didn’t find anything in the documentation…
And if there is no possibility, would it be possible to include an additional variable with which you can only output the secret? so instead of {googleurl_value} for example {secret} or {seed}

Thank you in advance for your answers!

With best regards
Colin

You are right, currently we can send these tags: 8.6.1. User Notification Handler Module — privacyIDEA 3.6.2 documentation

I am not sure if this could be achieved by further mangling of the googleurl. However, you could use a script handler currently and write your complete own script.

You are welcome to open a new feature request at github for further tags in the notification. It would be great, if you can reference this post.

1 Like

Hello cornelinux,

I looked at the Script Handler, but unfortunately I’m not familiar with Python.
I read that the script can also be written in other languages.
Unfortunately, I still don’t fully understand how the whole thing works if it’s written in some other language.
I will look into this again.
When I have time I will make a feature request on Github.

With best regards
Colin

Simple script to call via the script handler:

#!/bin/bash
touch /tmp/sth.
1 Like

Thanks, that makes things a lot clearer.
Can you tell me how I can pass values ​​from PrivacyIdea to the script and back again?
For example, my idea would be to write a small node app, which I address via an http request.
So I could provide the QR code in another way.
However, I would have to pass {googleurl_value} and {username} to the script for this.
(For security reasons, we do not want to send the QR code by email and sending the secret by SMS is not ideal either)

I really appreciate the help, thank you very much!

With best regards
Colin