Use TOTP with nitrokey and privacyIDEA

rob · August 15, 2024, 8:44am

Hello,

I want to use a Nitrokey 3 with privacyIDEA. I created TOTP with nitropy by nitrokey:

nitropy nk3 secrets add-otp --kind TOTP mfa 23456723456723456723456723456723

Nitrokey needs a base32 secret. However, if I have enrolled the TOTP token with privacyIDEA; the TOTP token verification failed (ERR905: Verification of the new token failed.)

What do I wrong?

rob · August 16, 2024, 11:37am

import secrets

secret: bytes = secrets.token_bytes(20)

privacyidea_secret: str = secret.hex()
nitrokey_secret: str = base64.b32encode(secret).rstrip(b"=").decode()

cornelinux · August 16, 2024, 8:48pm

You already saw it.

PrivacyIDEA expects an hexflified OTP secret.

I would recommend writing a small script that

create the secret key (either using nitropy or privacyidea or a third way)
calls nitropy to initialize the nitrokey
use the privacyIDEA API to create the token within privacyIDEA. (see 15.1.1.10. Token endpoints — privacyIDEA 3.10dev1 documentation)

I created such a script using nitrocli once, I have not used nitropy, yet.