For users not wishing to use a smartphone or to provide a backup device to enable login with TOTP the oathtool command line tool can be used on Linux or MacOS systems to provide a one-time password as an alternative to using an authenticator client on a smartphone.


  • If you cannot scan the QR code then click on the "Unable to scan" link

This is also how you can set up  TOTP to work with the  oathtool command line application on Linux

  • A 32-digit code is displayed
    • Enter this code into your device
    • Your device will display a 6-digit code
    • Enter the 6-digit code displayed on your device into the One-time code box
    • Enter a Device name so you can remember which device this belongs to.
      • In the example, the user has used "MyLaptop"
    • Click on Submit
    • The Device is now set up and ready to use for accessing the relevant ECMWF services and applications. No further testing is needed.

  • Your configured TOTP devices now shown
    • In this example, the user now has two devices configured
  • You can add additional devices at any time
  • You can remove a device by clicking on the Remove button

Use as:

oathtool -b --digits=6 --totp=sha1 "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"

A note on security

As with using a smartphone as the TOTP client, users should ensure access to the oathtool command line and, in particular, the 32-digit key, is protected.   If a shell script is used to provide the command line then this should be readable only by the user (mode 700 or u+rx).

It is also strongly recommended that a screenlock is used to prevent access to the display and tool when away from the monitor.   Users should also consider password protecting the 32-digit key with, for example, PGP 2 or GnuPG.