Explore >> Select a destination
|
You are here 
|
rcoh.me | ||
| | | | |
labanskoller.se
|
|
| | | | | You probably use an "authenticator app" such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. In October 2017 when I evaluated HashiCorp Vault for generating and storing TOTP secrets for a system at work I realized that the Android version and iOS version of Google Authenticator differed a lot when it comes to which modes are supported. | |
| | | | |
prezu.ca
|
|
| | | | | Authenticator apps like Google Authenticator use 2 authenticaion protocol centered around What you have paradigm. Those algorithms are: HOTP (HMAC-based One Time Password), and TOTP (Time-based One Time Password). They obviously are different, but both are centered around the same basic idea: using a rolling hash value, that is predictable only to the server and the authenticator app. Additionally, both are using HMAC-SHA-1 for generating those hash values. In my previous post I explained the gist of the approach used in both algorithms. Here we'll focus on the details of implementation of HMAC. We'll tackle TOTP in part 3. | |
| | | | |
www.mjt.me.uk
|
|
| | | | | ||
| | | | |
prezu.ca
|
|
| | | Part 3 is the last part in this short cycle. Here I'll explain all the details around Time-based One-Time Password algorithm. I'll finish up by also elaborating on things common to both, HMAC-Based One-Time Password algorithm: QR Codes used to easily transfer secrets from the server to the Authenticator app Base32 algorithm - used to store non-printable secret in a URI (effectively stored by the QR Codes mentioned above). TOTP One way to avoid the problems with lack of feedback between server and the app... | ||
