Are you sick of having to take your phone whenever you need to input the 2fa code? You want a tool that automatically generates the code within your minecraft client and automatically calls the /2fa command whenever the server requires it without need of any intervention from you?

You are in the right place!
Unfortunately, such a tool does not exist (yet).
​

Well, I'm sick of this: if it doesn't exist, I'm gonna make one myself, by Jove! I know it can be done, but I also know it's going to take a huge amount of time to 1) study the algorithm behind the OTP generator and 2) implement the code on minecraft starting from scratch. So here's a couple questions I'm gonna ask you before starting:

1. Do you know whether such a tool actually exists already? (if it does, there's no point making one myself)
2. Would you be interested in collaborating to develop it?

Here's 2 possible ways I have in mind, with pros and cons.

1. Make a new mod
   • pros:
     1. I would be able to write in a powerful programming language (Java), which is essential if you want to implement in a humanly readable way a hash algorithm (macromod is terrible);
   • cons:
     1. I would have to study Forge/LiteLoader/SomethingElse's API;
     2. other people who would like to use this tool would have to install another mod.
2. Make a macromod script
   • pros:
     1. no need to study new APIs;
     2. people who already have macromod would be able to just copy-paste the code;
   • cons:
     1. implementing a hash algorithm on macromod would be a programming nightmare (partly because of terrible math, but mostly -unless I'm wrong- because you can't define functions).

In both cases, I would have to throughly study the OTP algorithm in order to be able to implement it sensibly, one way or another.
I'm leaning towards the second option, however I would greatly appreciate suggestions and remarks before starting. And of course I would appreciate even more so if you offered to help :)

People who might be interested and/or who I know have some know-how:
@314 @ScarabCoder @CrazySwagMaster1 @kukelekuuk00 and please tag anyone you think might be interested and/or whose opinion might be relevant.

Thanks in advance!

F.A.Q.​

• Wouldn't such a tool completely defeat the purpose of 2fa authentication?
  • Not completely:
    • if your concern is that the computer where you play might be compromised or accessed from malicious users, then you should definitely not use such a tool;
    • if your sole concern is that your password might be stolen or guessed, but you're reasonably confident that your computer is safe (as much as you are for your smartphone), then such a tool won't defeat the purpose of 2fa authentication.
  • For more information, see the discussion below.

• Can't you just move you ass and get your phone?
  • I guess I could, as I've been doing until now, however:
    • I'm too lazy, so ridiculously lazy that I'm willing to spend days making such a tool (after all, "laziness is the engine of progress");
    • I have a script that does stuff whenever I login, however its commands won't be accepted before 2fa authentication, therefore I have to manually launch it after I manually insert the 2fa code, and this bothers me a lot.
  • For more information, see the discussion below.

• Can't you just relinquish 2fa?
  • I guess I could, but:
    • I don't trust my minecraft password enough and I plan to slowly but steadily increase my wealth on ECC, so I'm not at ease thinking someone could guess my password and drain my bal;
    • even if I periodically changed my password and always used very good passwords (which I'm too lazy to do for every password protected service I use), 2fa would still be much safer than that.

 

For reference:

• https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
  • https://tools.ietf.org/html/rfc6238
• https://en.wikipedia.org/wiki/Base32
  • https://tools.ietf.org/html/rfc4648
• https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
  • https://tools.ietf.org/html/rfc4226
• https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
  • https://tools.ietf.org/html/rfc2104
• https://en.wikipedia.org/wiki/SHA-1
  • https://tools.ietf.org/html/rfc3174

 

That was one of the most outrageously dumb name choices of the last century, there's people still confused nowadays

 

IK, but still a terrible and extremely short-sighted idea IMHO

 

Good questions, here's my answer to both.

The purpose of 2fa is to avoid someone else logging with my account because they guessed my password: 2fa authentication with smartphone-generated codes is safe insofar I, and only I, have access to my smartphone. That's the critical point.
If I, and only I, have access to my computer, then the same could be said for a computer-generated code. Actually I already have an app on the laptop where I play that generates the same codes as my smartphone: so it's already possible. It's just that

1. I'm too lazy to manually open the app and manually type the code: so lazy that I'm willing to spend days on this project (LOL);
2. before starting to use 2fa I had a macro that automatically activated fly, disabled lot messages, etc upon login; with 2fa I have to manually start that macro after I enter the 2fa code, because all the commands that macro sends would not be accepted: this bothers me unbelievably and I'd love to go back to that script going automatically, while at the same time keeping 2fa security.

You might object that computers are shared more often than smartphones: but on the other end smartphones, being mobile, are accessed more easily. And, unless you have reasons not to trust your brother who happens to play on the same server, you can be reasonably safe if the code is generated within your personal computer.

I'll answer your second question starting with another question: why would you switch computer in the first place and who owns them?
This might be limited to personal experience, but I play minecraft only on my computer: because here I have my configuration, my mods, my macros, my todo list, my spreadsheet with information about members of my town and users whom I dealt with, just.. everything. Why on Earth would I play on another computer? The only reasonable scenario would be to just login after almost a week in order to avoid my bal get wiped, because for some reason I don't have access to my computer for more than a week. But I'll try to conceive different scenarios with multiple computers:

1. I own them all and only trusted people have access to them: then it would be ok to install the key on both;
2. I own only one, and only trusted people have access to them, but I occasionally login from another (unsafe) computer: then I'll obviously install the key only on the first one;
3. none of those computers are safe: then I have absolutely no reason to install the key on any of those computers, ever.

I general: if you trust that computer, then it's okay. If you don't, then don't.

 

I see your point: 2fa codes generated on another device secure your account when your computer is compromised. However a second, broader point of 2fa is to secure your account when only your password is stolen or guessed, regardless of whether your computer is compromised or not. If my computer is compromised, then my password is compromised (or it can be bypassed) as well; however, if just my password is compromised, then my computer might still not be compromised: the first point is a particular case of the second.
My tool surely defeats the first point. However it does not defeat the rest of the second, and (at least, in my case) I'm much more concerned with the latter: if my computer is compromised, my first concern would surely not be my minecraft account (which is a small subset of my digital life) but my whole computer (which is most of my digital life)!

 

I partly answered your question in my last edit of the OP (see F.A.Q.). Shortly, my minecraft password is not idiotic, but it's not excellent either (I prefer to commit my limited bone-and-flesh memory for good passwords for more critical stuff than minecraft) but at the same time I'm not at ease knowing someone might brute-force guess it.
And: what if I chose to apply for staff? I'm not planning to do that at the moment, however you're never ready enough for circumstances.

 

This, I didn't know.
It starts to seem that my project is pointless... aww, I was already feeling eager-beaver