I’ve recently setup 2-factor authentication on my Google account. The new 2nd factor or “thing you have” is a smartphone application which generates 6 digit one-time passwords.
I was a bit surprised when I stumbled on this article Two Factor SSH with Google Authenticator. Turns out the algorithm used to generate the OTPs is an open standard. When you set-up an account in the smartphone app you are storing a key that’s used to create a HMAC of the current time.
You can read the specifics of the algorithm in the TOTP RFC Draft. I really like the idea that you can use the smartphone app to generate OTPs for your own application. I’ve implemented the algorithm in javascript on jsfiddle. Javascript is nice and readable, but please don’t implement your verification client side! 
History
- 20012-Sept-6: jsSHA moved location
- 20012-Sept-12: Something suspect about the way I’m converting BASE32 to bytes. Changed it to grab full bytes from the binary string, and ignore anything left over.
{ 11 } Comments
Great JS example of the TOTP algo. It would be really awesome to have the actual OTP generation explained using the same example (how the offset it calculated, etc).
Thanks!
Hi Mark, your timing is good. I’ve just been playing with this the TOTP algorithm on an Arduino. See here: https://twitter.com/#!/russaus/status/163232099220996096
I’ll do a blog post on the Arduino stuff soon, and I’ll include an intro to the algorithm with the post.
Russ
See http://code.google.com/p/google-authenticator/source/browse/libpam/totp.html for an example on how to compute the TOTP in Javascript without requiring additional libraries. I don’t claim that the code is readable — but I do claim that it is compact.
Created a small Gnome Shell extension based on your publication: https://github.com/gbraad/gnome-shell-google-authenticator
Im loving the dead beef in the key
Hi Gerard, I’d love to see your Gnome shell extension in action. Can you post a screenshot somwhere?
Hi Tin, took some time to ‘productize’ the implementation. Made it into a small HTML5 app for use in any browser: https://5apps.com/apps/4fd87e80c439344a17000003 and even a Chrome extension: https://chrome.google.com/webstore/detail/ilgcnhelpchnceeipipijaljkblbcobl?utm_source=chrome-ntp-icon or a phonegap build: https://build.phonegap.com/apps/135419/share
The gnome extension is not been approved as of yet, since I still have to optimize it a little to only run on dialog popup and use the HMAC implementation as provided by glib.
Have attributed you in the code and will do so in an about box. All stuff is published on github.
oops, correction… Hi Russ…
heheh… not the first time I’ve been called ‘Tin’
Russ, did you ever get around to documenting what you did with your Arduino? I’m futzing with the same idea right now and would love to see your example/write up!
Hi Andrew,
I didn’t get around to writing anything up. The source code is here: https://github.com/russau/ArduinoOTP
Will _try_ get around to documenting it someday!
Russ
{ 1 } Trackback
[...] oder.Eine interessante Seite um etwas mit dem Secret, dem QR-Code und dem Code herumzuspielen ist diese Javascript-Umsetzung.Für WordPress gibt es ein Plugin für die Google Authenticator Unterstützung, ich nehme an dass [...]
Post a Comment