Skip to content

Google Authenticator One-time Password Algorithm in Javascript

I’ve recently setup 2-factor authentication on my Google account.  The new 2nd factor or “thing you have” is a smartphone application which generates 6 digit one-time passwords.

I was a bit surprised when I stumbled on this article Two Factor SSH with Google Authenticator. Turns out the algorithm used to generate the OTPs is an open standard. When you set-up an account in the smartphone app you are storing a key that’s used to create a HMAC of the current time.

You can read the specifics of the algorithm in the TOTP RFC Draft.  I really like the idea that you can use the smartphone app to generate OTPs for your own application.  I’ve implemented the algorithm in javascript on jsfiddle.   Javascript is nice and readable, but please don’t implement your verification client side! :)


  • 2012-Sept-6: jsSHA moved location
  • 2012-Sept-12: Something suspect about the way I’m converting BASE32 to bytes. Changed it to grab full bytes from the binary string, and ignore anything left over.
  • 2014-April-22: Github not a CDN anymore.. :) Moved references to bootstrap and jsSHA

{ 14 } Comments

  1. Mark Linton | January 28, 2012 at 6:41 am | Permalink

    Great JS example of the TOTP algo. It would be really awesome to have the actual OTP generation explained using the same example (how the offset it calculated, etc).


  2. russ | January 28, 2012 at 9:42 pm | Permalink

    Hi Mark, your timing is good. I’ve just been playing with this the TOTP algorithm on an Arduino. See here:!/russaus/status/163232099220996096

    I’ll do a blog post on the Arduino stuff soon, and I’ll include an intro to the algorithm with the post.


  3. Markus | March 1, 2012 at 1:41 am | Permalink

    See for an example on how to compute the TOTP in Javascript without requiring additional libraries. I don’t claim that the code is readable — but I do claim that it is compact.

  4. Gerard Braad | June 7, 2012 at 11:59 pm | Permalink

    Created a small Gnome Shell extension based on your publication:

  5. Annon | June 16, 2012 at 6:01 pm | Permalink

    Im loving the dead beef in the key :)

  6. russ | June 16, 2012 at 9:38 pm | Permalink

    Hi Gerard, I’d love to see your Gnome shell extension in action. Can you post a screenshot somwhere?

  7. Gerard Braad | June 17, 2012 at 2:21 am | Permalink

    Hi Tin, took some time to ‘productize’ the implementation. Made it into a small HTML5 app for use in any browser: and even a Chrome extension: or a phonegap build:

    The gnome extension is not been approved as of yet, since I still have to optimize it a little to only run on dialog popup and use the HMAC implementation as provided by glib.

    Have attributed you in the code and will do so in an about box. All stuff is published on github.

  8. Gerard Braad | June 17, 2012 at 7:47 am | Permalink

    oops, correction… Hi Russ…

  9. russ | June 17, 2012 at 7:49 am | Permalink

    heheh… not the first time I’ve been called ‘Tin’ :)

  10. Andrew Stanley | January 24, 2013 at 7:40 pm | Permalink

    Russ, did you ever get around to documenting what you did with your Arduino? I’m futzing with the same idea right now and would love to see your example/write up!

  11. russ | January 26, 2013 at 2:06 am | Permalink

    Hi Andrew,
    I didn’t get around to writing anything up. The source code is here:
    Will _try_ get around to documenting it someday!

  12. FJH | January 22, 2014 at 4:31 pm | Permalink

    This wonderful example has stopped working in Chrome as Chrome now enforces strict mime type checking. Still works in Firefox though.

    Refused to execute script from ‘’ because its MIME type (‘text/plain’) is not executable, and strict MIME type checking is enabled.

  13. russ | April 23, 2014 at 3:14 am | Permalink

    Hi – I think I’ve fixed the the problems that were breaking things in Chrome.

  14. FJH | April 23, 2014 at 5:45 pm | Permalink

    I agree, you have fixed the issue that stopped it working in the latest version of chrome. Thanks.

{ 4 } Trackbacks

  1. [...] oder.Eine interessante Seite um etwas mit dem Secret, dem QR-Code und dem Code herumzuspielen ist diese Javascript-Umsetzung.Für WordPress gibt es ein Plugin für die Google Authenticator Unterstützung, ich nehme an dass [...]

  2. [...] Liens utiles : RFC 6238 - TOTP: Time-Based One-Time Password Algorithm RFC 4226 - HOTP/IETF Exemple de calcul d’OTP TOTP generator in javascript [...]

  3. [...] Liens utiles : RFC 6238 - TOTP: Time-Based One-Time Password Algorithm RFC 4226 - HOTP/IETF Exemple de calcul d’OTP TOTP generator in javascript [...]

  4. [...] Liens utiles : RFC 6238 - TOTP: Time-Based One-Time Password Algorithm RFC 4226 - HOTP/IETF Exemple de calcul d’OTP TOTP generator in javascript [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *