View on GitHub

OTP

Generate OTP, HOTP, TOTP code using 4D

OTP

language language-top code-size release license discord sponsors

Generate one-time passwords(OTP)

This is compatible with apps available for Android and iPhone.

For that provide the secret key or an url in QR code for instance

HOTP RFC 4226

Create an HOTP instance with our secret key encoded to base32(without pading ie. =)

$otp:=OTP.HOTP.new("JDDK4U6G3BJLEZ7Y") // base32 encoded key

Maintain a counter for a user, to change its value at each try.

Verify HOTP

You can verify the code according to a counter

$isAuth:=$otp.verify(654666; 1500)

Get a code

You can get the code passing the current counter, to display it or send it by email or sms

$code:=$otp.at(1500)

Get URL for auth app

$url:=$otp.provisioningUri("my app";$currentCounter)

TOTP RFC 6238

Create an TOTP instance with our secret key encoded to base32(without pading ie. =)

$otp:=OTP.TOTP.new("JDDK4U6G3BJLEZ7Y")

TOTP allow to not manage a counter by using the current time stamp instead

Verify TOTP

You can verify the code with current timestamp

$isAuth:=$otp.verify(139664)

or a specific timestamp to test

$isAuth:=$otp.verify(139664;1301012137)

Get

You can get the current code, to display it or send it by email or sms

$code:=$otp.now()

You can also get it for a specific time stamp

$code:=$o.at(1301012137)

Get URL for auth app

$url:=$otp.provisioningUri("my app")

Base32

To encode to base 32 without padding (ie. =) you could use

OTP.Base32.instance.encode($aSecretKeyBlob; False)
OTP.Base32.instance.encodeText($aSecretKeyText; False)

Code from forum fixed by @dbeaubien #3, and encode with padding suggested by @blegay + rfc test #2

Testing authenticator app with TOTP

Download ones

Scan a QR code with the app

Provide a QR Code with url provided by code

$url:=$otp.provisioningUri("mesopelagique") // otpauth://totp/mesopelagique?secret=JDDK4U6G3BJLEZ7Y

You could generate QR code using javascript or temporary for test only using a website like https://www.qr-code-generator.com/, https://www.unitag.io/fr/qrcode, …

⚠️ do not rely on third party website on production, it could intercept private data

Verify code

ASSERT($opt.verify(Int(Request("code?")); "Code is not ok")

Due to time drift, time could be different across devices and server and sometimes a code verify could failed.

Contributors

To help

If you run a business and you’re using one of my projects in a revenue-generating product, it makes business sense to sponsor this open source development

sponsors

Thank you for your support!

Other components

mesopelagique