Quick TOTP is a lightweight GNOME Shell 2FA extension that generates Time-based (TOTP) and counter-based (HOTP) one-time passwords for the Two-Factor Authentication (2FA) used by services such as Google, GitHub, Facebook, Discord, Amazon, and Steam. Codes are available directly from the top panel: open the menu, find the account, and click it to copy the current code to the clipboard. Secrets are stored locally in the GNOME Keyring (via libsecret) and are never transmitted to any external server. Quick TOTP is an independently maintained fork of the original TOTP extension by Daniel Kosmari, continued with additional features, a redesigned menu, and broad import/export support. Note: this extension uses the clipboard. Clicking an entry copies the generated code; when exporting, sensitive data (otpauth:// URIs) is automatically cleared from the clipboard after a configurable amount of time (30 seconds by default). Authentication codes themselves are not cleared. --- Features --- Panel menu - Scrollable list of all OTP entries that stays within the screen height. - Instant search and filtering by issuer, account, or other non-secret attributes. - Live countdown on each TOTP entry, with a subtle progress ring. - Show/hide toggle to mask all codes until you need them. - One-click copy of a code to the clipboard. - Full keyboard navigation: the search field is focused automatically, and Arrow keys, Tab, Enter, and Escape all work as expected. - Lock and unlock the OTP keyring collection from the menu. OTP support - TOTP (time-based) and HOTP (counter-based) codes. - Configurable digits, period, and algorithm (SHA-1, SHA-256, SHA-384, SHA-512). - Steam Guard code generation. Managing secrets (preferences window) - Add, edit, remove, and reorder secrets. - Remove all secrets at once, with a confirmation dialog. Import - otpauth:// URIs: single or multiple, pasted as text. - QR codes: from an image on the clipboard, or scanned from a webcam (requires ZBar). - Google Authenticator export QR codes (otpauth-migration://). - Files: Aegis, andOTP, GNOME Authenticator (current and legacy), FreeOTP+, Bitwarden, Raivo OTP, Quick TOTP JSON, and plain URI lists. - Automatic format detection, validation of every entry, duplicate skipping, and a confirmation summary before anything is stored. Export - Files: Quick TOTP JSON, otpauth:// URI list, GNOME Authenticator / andOTP, Aegis, and FreeOTP+. - Export a single secret as a QR code (requires qrencode). - A clear warning before writing an unencrypted backup file. Security - Secrets are stored locally in the GNOME Keyring and wiped from memory immediately after each use. - Nothing is transmitted to external servers; all code generation happens on your machine. - The dedicated "OTP" keyring collection can be locked with its own password. - Imported files are validated as untrusted input; malformed entries are reported, not silently accepted. - Encrypted backup formats are intentionally not supported (the shell runtime has no suitable crypto); export an unencrypted variant to import it. Other - Localized in German, Spanish, French, Hungarian, Italian, Dutch, Brazilian Portuguese, and Russian. - Supports GNOME Shell 45, 46, 47, 48, 49, and 50. - Free software, GPL-3.0-or-later. --- Optional integrations (external tools) --- - ZBar (zbar-tools): scan QR codes from an image or webcam. - qrencode: export a secret as a QR code.
Note: Binary files aren't shown on the web site. To see all files, please download the extension zipfile.
EGO-A-005 manual_review
extensions should not access the clipboard directly
Direct clipboard access via `St.Clipboard.get_default()` requires reviewer scrutiny.
src/ui/indicator.js:30
St.Clipboard.get_default()
| Version | Status |
|---|---|
| 1.0.0 (1) | Unreviewed |
The usage of `St.Clipboard.get_default()` at src/ui/indicator.js:30 is noted to the users in the extension description.