Skip to content

Otp Challenger

Verified

Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.

1,182

Install

Claude Code

Add to .claude/skills/

About This Skill

# OTP Identity Challenge Skill

Challenge users for fresh two-factor authentication before sensitive actions.

When to Use

  • Require OTP verification before:
  • Deploy commands (`kubectl apply`, `terraform apply`)
  • Financial operations (transfers, payment approvals)
  • Data access (PII exports, customer data)
  • Admin operations (user modifications, permission changes)

Scripts

verify.sh

Verify a user's OTP code and record verification state.

```bash ./verify.sh <user_id> <code> ```

  • Parameters:
  • `user_id` - Identifier for the user (e.g., email, username)
  • `code` - Either 6-digit TOTP or 44-character YubiKey OTP
  • Exit codes:
  • `0` - Verification successful
  • `1` - Invalid code or rate limited
  • `2` - Configuration error (missing secret, invalid format)

Output on success: ``` ✅ OTP verified for <user_id> (valid for 24 hours) ✅ YubiKey verified for <user_id> (valid for 24 hours) ```

Output on failure: ``` ❌ Invalid OTP code ❌ Too many attempts. Try again in X minutes. ❌ Invalid code format. Expected 6-digit TOTP or 44-character YubiKey OTP. ```

check-status.sh

Check if a user's verification is still valid.

```bash ./check-status.sh <user_id> ```

  • Exit codes:
  • `0` - User has valid (non-expired) verification
  • `1` - User not verified or verification expired

Output: ``` ✅ Valid for 23 more hours ⚠️ Expired 2 hours ago ❌ Never verified ```

generate-secret.sh

Generate a new TOTP secret with QR code (requires `qrencode` to be installed).

```bash ./generate-secret.sh <account_name> ```

Usage Pattern

```bash #!/bin/bash source ../otp/verify.sh

if ! verify_otp "$USER_ID" "$OTP_CODE"; then echo "🔒 This action requires OTP verification" exit 1 fi

# Proceed with sensitive action ```

Configuration

  • Required for TOTP:
  • `OTP_SECRET` - Base32 TOTP secret
  • Required for YubiKey:
  • `YUBIKEY_CLIENT_ID` - Yubico API client ID
  • `YUBIKEY_SECRET_KEY` - Yubico API secret key (base64)
  • Optional:
  • `OTP_INTERVAL_HOURS` - Verification expiry (default: 24)
  • `OTP_MAX_FAILURES` - Failed attempts before rate limiting (default: 3)
  • `OTP_STATE_FILE` - State file path (default: `memory/otp-state.json`)

Configuration can be set via environment variables or in `~/.openclaw/config.yaml`:

```yaml security: otp: secret: "BASE32_SECRET" yubikey: clientId: "12345" secretKey: "base64secret" ```

Code Format Detection

  • The script auto-detects code type:
  • 6 digits (`123456`) → TOTP validation
  • 44 ModHex characters (`cccccc...`) → YubiKey validation

ModHex alphabet: `cbdefghijklnrtuv`

State File

Verification state stored in `memory/otp-state.json`. Contains only timestamps, no secrets.

Human Documentation

  • See README.md for:
  • Installation instructions
  • Setup guides (TOTP and YubiKey)
  • Security considerations
  • Troubleshooting
  • Examples

Use Cases

  • Require OTP verification before executing sensitive operations like deployments or financial transfers
  • Verify user identity with TOTP (6-digit codes) or YubiKey (44-character OTP) before admin actions
  • Check if a user's OTP verification is still valid within the configurable expiry window
  • Generate new TOTP secrets with QR codes for onboarding users into two-factor authentication
  • Implement rate limiting on failed OTP attempts to prevent brute-force attacks

Pros & Cons

Pros

  • + Supports both TOTP and YubiKey with automatic code format detection
  • + State file stores only timestamps — no secrets are persisted, minimizing exposure risk
  • + High adoption with 2,300+ downloads indicating strong trust in the security model
  • + Configurable expiry window and failure limits adapt to different security requirements

Cons

  • - Bash-based verification scripts may not integrate cleanly into non-Unix environments
  • - YubiKey validation requires Yubico API credentials and network connectivity

Frequently Asked Questions

What does Otp Challenger do?

Enable agents and skills to challenge users for fresh two-factor authentication proof (TOTP or YubiKey) before executing sensitive actions. Use this for identity verification in approval workflows - deploy commands, financial operations, data access, admin operations, and change control.

What platforms support Otp Challenger?

Otp Challenger is available on Claude Code, OpenClaw.

What are the use cases for Otp Challenger?

Require OTP verification before executing sensitive operations like deployments or financial transfers. Verify user identity with TOTP (6-digit codes) or YubiKey (44-character OTP) before admin actions. Check if a user's OTP verification is still valid within the configurable expiry window.

Stay Updated on Agent Skills

Get weekly curated skills + safety alerts