DegiroAPI icon indicating copy to clipboard operation
DegiroAPI copied to clipboard
verified publisher icon lolokraus

allow log in with 2fa

Open pforero opened this issue 5 years ago • 5 comments

Issue: Currently degrioapi does not permit log in with accounts that use Two Factor Authentication (2FA).

Solution: If in the DeGiro.login method the user provides a TOTP code, the login is done through the TOTP Log in URL, and provides the oneTimePassword as part of the login_payload.

pforero avatar Jul 31 '20 15:07 pforero

Hello. Are you planning to merge this to the master? Will this resolve the 2FA login?

SonGokussj4 avatar Jan 09 '22 20:01 SonGokussj4

It would resolve it but the owner of this repo has been inactive for a few years now.

If you want you can install this package with this change like this:

pip install -U git+https://github.com/pforero/DegiroAPI.git@totp

Jakub-CZ avatar Jan 09 '22 20:01 Jakub-CZ

Oh wow, thanks. It worked. As a totp variable I entered the 6-digit code as string from GoogleAuth.

res = degiro.login(
    os.environ.get("DEGIRO_USERNAME"), 
    os.environ.get("DEGIRO_PASSWORD"), 
    os.environ.get("DEGIRO_TOTP")  # '123456'
)

So am I correct, I have to always type the current code for this to work? Can't this be more automated so it can work in the background?

SonGokussj4 avatar Jan 09 '22 21:01 SonGokussj4

You can use a package that can generate the TOTP automatically, e.g. https://pypi.org/project/pyotp/

totp = pyotp.TOTP(DEGIRO_TOTP_SEED).now()

Getting your old DEGIRO_TOTP_SEED may be pretty hard; Degiro won't give it to you for obvious safety reasons. You may need to turn off 2FA, then enable it again so that Degiro generates a new seed for you. You'll import the seed into your GoogleAuth again, plus you'll save it securely in a way so that your script can use it.

If Degiro doesn't show the seed as string (32 alphanumeric characters) you'll have to extract it from the QR code.

I hope I don't need to explain the security implication of doing all this.

EDIT: But I guess doing this is still better than not using 2FA at all...

Jakub-CZ avatar Jan 09 '22 21:01 Jakub-CZ

I just figured it out too. Yeah, security implications are... "Don't get hacked" :-) And use it only on a secured machine. Yeah, but better than without 2FA.

For future reference, these were my steps:

  1. Login into Degiro, disable 2FA. Then Enable 2FA (re-add to the google auth app) and scan the QR code with Google Lenses or another QR reader This shows an address in format:
otpauth://totp/DEGIRO:MYUSERNAME?algorithm=SHA1&issuer=DEGIRO&secret=MYSECRET&digits=6&period=30
  1. Add MYSECRET to my local .env file, then use pyotp library to convert it to the 6-digit verification code.
# file: .env
DEGIRO_USERNAME="MYUSERNAME"
DEGIRO_PASSWORD="MYPASSWORD"
DEGIRO_TOTP="MYSECRET"

# file: main.py
import pyotp
import degiroapi
from dotenv import load_dotenv

def main():
    load_dotenv()
    totp = pyotp.TOTP(os.environ.get("DEGIRO_TOTP"), digits=6, interval=30)
    res = degiro.login(
        os.environ.get("DEGIRO_USERNAME"), 
        os.environ.get("DEGIRO_PASSWORD"), 
        totp.now())

SonGokussj4 avatar Jan 09 '22 22:01 SonGokussj4