A secure, cross-platform command-line application for generating TOTP (Time-based One-Time Password) tokens for multi-factor authentication.

• 🔐 Secure Storage: Uses system keychain when available, with encrypted fallback
• 🚀 Cross-platform: Works on Linux, macOS, and Windows
• 🔄 Script-friendly: Perfect for automation and scripts (no password prompts)
• 📱 TOTP Compatible: Works with any service that uses TOTP (Google, AWS, GitHub, etc.)
• 🛡️ AES-256 Encryption: Local data is encrypted using AES-256-GCM
• 🔄 Auto-migration: Automatically upgrades from plain text storage to encrypted

Download the latest release from the releases page for your platform:

• Linux (64-bit): mf-linux-amd64
• Windows (64-bit): mf-windows-amd64.exe
• macOS Intel: mf-macos-amd64
• macOS Apple Silicon: mf-macos-arm64

# Download and install latest version
curl -L https://github.com/marcelocg/mf/releases/latest/download/mf-linux-amd64 -o mf
chmod +x mf
sudo mv mf /usr/local/bin/

# Verify installation
mf --version

All releases include SHA256 checksums in checksums.txt:

# Linux/macOS
sha256sum -c checksums.txt

# Windows (PowerShell)
Get-FileHash -Algorithm SHA256 mf-windows-amd64.exe

git clone <repository-url>
cd mf
make build

# Build for current platform
make build

# Build for all platforms
make build-all

# Build for specific platforms
make build-linux     # Linux 64-bit
make build-windows   # Windows 64-bit  
make build-macos     # macOS (Intel + Apple Silicon)

# Development workflow (format, lint, test, build)
make dev

# Run tests
make test

# Clean build artifacts
make clean

mf add ACCOUNT_NAME SECRET_KEY

Example:

mf add AWS-DEV 7C2FFYEHYDUKFDYYNMALARRODZ5CXTD2LWOAID2F4KZD63MMH3XWVWNTZLTR7T3X

mf get ACCOUNT_NAME

Example:

mf get AWS-DEV
# Output: 756815

mf list

mf --help
mf [command] --help

• Linux: ~/.config/mf/
• Windows: %USERPROFILE%\.config\mf\
• macOS: ~/.config/mf/

1. System Keychain Integration:

   • Linux: Secret Service API (gnome-keyring, KWallet)
   • Windows: Windows Credential Manager
   • macOS: Keychain Services

2. Encrypted Fallback:

   • AES-256-GCM encryption
   • Machine-specific key derivation
   • PBKDF2 key stretching

3. File Permissions:

   • Configuration directory: 0700 (owner only)
   • Account files: 0600 (owner read/write only)

MF is designed to work seamlessly in scripts without user interaction:

#!/bin/bash
TOKEN=$(mf get AWS-DEV)
aws sts get-caller-identity --token-code $TOKEN

# PowerShell
$token = mf get AWS-DEV
aws sts get-caller-identity --token-code $token

# Add your AWS MFA device
mf add AWS-MFA JBSWY3DPEHPK3PXP...

# Use in AWS CLI
aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/MyRole \
  --role-session-name MySession \
  --serial-number arn:aws:iam::123456789012:mfa/user \
  --token-code $(mf get AWS-MFA)

# Add GitHub TOTP
mf add GITHUB-MFA ABCDEFGH...

# Get token for GitHub
mf get GITHUB-MFA

No configuration files are needed. The application works out of the box with secure defaults.

• Go 1.19 or later
• Make (optional, but recommended)

# Development workflow
make dev             # Format, lint, test, and build

# Production builds
make build-all       # Build for all platforms
make build-linux     # Linux only
make build-windows   # Windows only
make build-macos     # macOS only

# Testing and maintenance
make test           # Run tests
make test-coverage  # Run tests with coverage report
make clean          # Clean build artifacts

# Local build
go build -o mf

# Cross-compilation examples
GOOS=windows GOARCH=amd64 go build -o mf.exe
GOOS=darwin GOARCH=amd64 go build -o mf-macos
GOOS=darwin GOARCH=arm64 go build -o mf-macos-arm64

# Testing
go test ./...

• Cobra - CLI framework
• go-keyring - Cross-platform keychain access
• otp - TOTP generation
• crypto - Encryption utilities

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Add tests if applicable
5. Run make dev to format, lint, test, and build
6. Submit a pull request

See CONTRIBUTING.md for detailed contribution guidelines.

This project is licensed under the MIT License - see the LICENSE file for details.

• Secret Keys: Never share your secret keys or commit them to version control
• Backups: Consider backing up your ~/.config/mf/ directory securely
• Machine Access: Anyone with access to your user account can potentially access stored secrets
• Network: This application works offline and never transmits your secrets over the network

1. "Account not found": Make sure you've added the account using mf add
2. Permission errors: Ensure you have write access to ~/.config/mf/
3. Invalid secret: Verify the secret key is a valid base32-encoded string

• Check the help: mf --help
• Enable verbose output (if implemented): mf --verbose get ACCOUNT
• Check file permissions: ls -la ~/.config/mf/

See CHANGELOG.md for version history and changes.