Skip to content

Google Authenticator One-time Password Algorithm in Javascript

I’ve recently setup 2-factor authentication on my Google account.  The new 2nd factor or “thing you have” is a smartphone application which generates 6 digit one-time passwords.

I was a bit surprised when I stumbled on this article Two Factor SSH with Google Authenticator. Turns out the algorithm used to generate the OTPs is an open standard. When you set-up an account in the smartphone app you are storing a key that’s used to create a HMAC of the current time.

You can read the specifics of the algorithm in the TOTP RFC Draft.  I really like the idea that you can use the smartphone app to generate OTPs for your own application.  I’ve implemented the algorithm in javascript on jsfiddle.   Javascript is nice and readable, but please don’t implement your verification client side! :)

History

  • 20012-Sept-6: jsSHA moved location
  • 20012-Sept-12: Something suspect about the way I’m converting BASE32 to bytes. Changed it to grab full bytes from the binary string, and ignore anything left over.

{ 11 } Comments

  1. Mark Linton | January 28, 2012 at 6:41 am | Permalink

    Great JS example of the TOTP algo. It would be really awesome to have the actual OTP generation explained using the same example (how the offset it calculated, etc).

    Thanks!

  2. russ | January 28, 2012 at 9:42 pm | Permalink

    Hi Mark, your timing is good. I’ve just been playing with this the TOTP algorithm on an Arduino. See here: https://twitter.com/#!/russaus/status/163232099220996096

    I’ll do a blog post on the Arduino stuff soon, and I’ll include an intro to the algorithm with the post.

    Russ

  3. Markus | March 1, 2012 at 1:41 am | Permalink

    See http://code.google.com/p/google-authenticator/source/browse/libpam/totp.html for an example on how to compute the TOTP in Javascript without requiring additional libraries. I don’t claim that the code is readable — but I do claim that it is compact.

  4. Gerard Braad | June 7, 2012 at 11:59 pm | Permalink

    Created a small Gnome Shell extension based on your publication: https://github.com/gbraad/gnome-shell-google-authenticator

  5. Annon | June 16, 2012 at 6:01 pm | Permalink

    Im loving the dead beef in the key :)

  6. russ | June 16, 2012 at 9:38 pm | Permalink

    Hi Gerard, I’d love to see your Gnome shell extension in action. Can you post a screenshot somwhere?

  7. Gerard Braad | June 17, 2012 at 2:21 am | Permalink

    Hi Tin, took some time to ‘productize’ the implementation. Made it into a small HTML5 app for use in any browser: https://5apps.com/apps/4fd87e80c439344a17000003 and even a Chrome extension: https://chrome.google.com/webstore/detail/ilgcnhelpchnceeipipijaljkblbcobl?utm_source=chrome-ntp-icon or a phonegap build: https://build.phonegap.com/apps/135419/share

    The gnome extension is not been approved as of yet, since I still have to optimize it a little to only run on dialog popup and use the HMAC implementation as provided by glib.

    Have attributed you in the code and will do so in an about box. All stuff is published on github.

  8. Gerard Braad | June 17, 2012 at 7:47 am | Permalink

    oops, correction… Hi Russ…

  9. russ | June 17, 2012 at 7:49 am | Permalink

    heheh… not the first time I’ve been called ‘Tin’ :)

  10. Andrew Stanley | January 24, 2013 at 7:40 pm | Permalink

    Russ, did you ever get around to documenting what you did with your Arduino? I’m futzing with the same idea right now and would love to see your example/write up!

  11. russ | January 26, 2013 at 2:06 am | Permalink

    Hi Andrew,
    I didn’t get around to writing anything up. The source code is here: https://github.com/russau/ArduinoOTP
    Will _try_ get around to documenting it someday!
    Russ

{ 1 } Trackback

  1. [...] oder.Eine interessante Seite um etwas mit dem Secret, dem QR-Code und dem Code herumzuspielen ist diese Javascript-Umsetzung.Für WordPress gibt es ein Plugin für die Google Authenticator Unterstützung, ich nehme an dass [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *