As with using a smartphone as the TOTP client, users should ensure access to the oathtool command line and, in particular, the 32-digit key, is protected. If a shell script is used to provide the command line then this should be readable only by the user (mode 700 or u+rx). It is also strongly recommended that a screenlock is used to prevent access to the display and tool when away from the monitor. Users should also consider password protecting the 32-digit key with, for example, PGP 2 or GnuPG . blah blah blah |