OTP
Generate one-time passwords(OTP)
This is compatible with apps available for Android and iPhone.
For that provide the secret key or an url in QR code for instance
HOTP RFC 4226
Create an HOTP
instance with our secret key encoded to base32(without pading ie. =)
$otp:=OTP.HOTP.new("JDDK4U6G3BJLEZ7Y") // base32 encoded key
Maintain a counter for a user, to change its value at each try.
Verify HOTP
You can verify the code according to a counter
$isAuth:=$otp.verify(654666; 1500)
Get a code
You can get the code passing the current counter, to display it or send it by email or sms
$code:=$otp.at(1500)
Get URL for auth app
$url:=$otp.provisioningUri("my app";$currentCounter)
TOTP RFC 6238
Create an TOTP
instance with our secret key encoded to base32(without pading ie. =)
$otp:=OTP.TOTP.new("JDDK4U6G3BJLEZ7Y")
TOTP allow to not manage a counter by using the current time stamp instead
Verify TOTP
You can verify the code with current timestamp
$isAuth:=$otp.verify(139664)
or a specific timestamp to test
$isAuth:=$otp.verify(139664;1301012137)
Get
You can get the current code, to display it or send it by email or sms
$code:=$otp.now()
You can also get it for a specific time stamp
$code:=$o.at(1301012137)
Get URL for auth app
$url:=$otp.provisioningUri("my app")
Base32
To encode to base 32 without padding (ie. =) you could use
OTP.Base32.instance.encode($aSecretKeyBlob; False)
OTP.Base32.instance.encodeText($aSecretKeyText; False)
Code from forum fixed by @dbeaubien #3, and encode with padding suggested by @blegay + rfc test #2
Testing authenticator app with TOTP
Download ones
Scan a QR code with the app
Provide a QR Code with url provided by code
$url:=$otp.provisioningUri("mesopelagique") // otpauth://totp/mesopelagique?secret=JDDK4U6G3BJLEZ7Y
You could generate QR code using javascript or temporary for test only using a website like https://www.qr-code-generator.com/, https://www.unitag.io/fr/qrcode, …
⚠️ do not rely on third party website on production, it could intercept private data
Verify code
ASSERT($opt.verify(Int(Request("code?")); "Code is not ok")
Due to time drift, time could be different across devices and server and sometimes a code verify could failed.
Contributors
To help
If you run a business and you’re using one of my projects in a revenue-generating product, it makes business sense to sponsor this open source development
Thank you for your support!