I’ve recently setup 2-factor authentication on my Google account. The new 2nd factor or “thing you have” is a smartphone application which generates 6 digit one-time passwords.
I was a bit surprised when I stumbled on this article Two Factor SSH with Google Authenticator. Turns out the algorithm used to generate the OTPs is an open standard. When you set-up an account in the smartphone app you are storing a key that’s used to create a HMAC of the current time.
- 20012-Sept-6: jsSHA moved location
- 20012-Sept-12: Something suspect about the way I’m converting BASE32 to bytes. Changed it to grab full bytes from the binary string, and ignore anything left over.