For users not wishing to use a smartphone or to provide a backup device to enable login with TOTP the oathtool command line tool can be used on Linux or MacOS systems to provide a one-time password as an alternative to using an authenticator client on a smartphone [Read more ...]

oathtool -b --digits=6 --totp=sha1 "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"

As with using a smartphone as the TOTP client, husers should ensure access to the oathtool command line is protected.   If a shell script is used to provide the command line then this should be readable only by the user (mode 700 or u+rx).

It is also strongly recommended that a screenlock is used to prevent access to the display and tool when away from the monitor.   Users may also want to consider protecting the key with, for example, PGP 2 or GnuPG.