Skip to content
/ time-based-one-time-password Public

Lib that uses and works with Google Authenticator to provide a base for further 2fa applications.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hrsto/time-based-one-time-password

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
docs
docs
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle
build.gradle
 
 

Repository files navigation

Java Implementation of TOTP: Time-Based One-Time Password Algorithm

Uses Google Authenticator as the base to provide quick and dirty library as a start for further development of 2fa solutions based on TOTP.

Usage

Get the dependency via Maven with coords:

<dependency>
  <groupId>com.webarity</groupId>
  <artifactId>time-based-one-time-password</artifactId>
  <version>1.0.0</version>
</dependency>

Install Google Authenticator (or anything similar to it from anywhere) from the google play store and set it up for time based passwords and give it a shared secret. Then:

TimeOneTimePassword.HMACSHA1.oneTimePassword("mysharedsecrethere"); //uses the defaults of 0 unix start time, 30 seconds interval steps, and 6 pin length
TimeOneTimePassword.HMACSHA1.oneTimePassword("mysharedsecrethere", 6); //with pin length
TimeOneTimePassword.HMACSHA1.oneTimePassword("mysharedsecrethere", 0, 30, 6); //with start time, time step, and pin lenght
TimeOneTimePassword.HMACSHA1.oneTimePassword("mysharedsecrethere", System.currentTimeMillis() / 1000, 0, 30, 6); //with the current _now_ time in seconds, start time, time step, and pin length

Abstract

For reference, see RFC 6238 TOTP: Time-Based One-Time Password Algorithm.

Abbreviations used:

  • HOTP - HMAC one time password (with SHA1 hash function)
  • TOTP - time base one time password
  • OTP - one time password

Algorithm is defined as:

T = Math.floor((Ut - T0) / X)
TOTP = HOTP(K,T)

Where:

  • Ut - current Unix epoch time in seconds. In java it would look like System.currentTimeMillis() / 1000. In JavaScript - Date.now() / 1000
  • X - time step in seconds (30 by default for Google Authenticator)
  • T0 - unix time to start counting time steps, defaults to 0

HOTP uses HMAC SHA 1 and is applied to increasing counter value that represents the message in the HMAC computation. The result is then truncated to obtain user-friendly vals using:

HOTP(K, C) = Truncate(HMAK-sha-1(K, C))

Truncate converts HMAC SHA 1 val into HOTP value.

  • K - shared secret
  • C - counter value - in TOTP, this val will be T (see above). TOTP may use SHA 256 or SHA 512 instead of HMAC SHA 1.

Due to lag, when client sends his OTP, server may receive it when the time window ends, thus the server may have to allow for a buffer time and compare the received OTP with, at most, the previous one.

https://www.webarity.com

About

Lib that uses and works with Google Authenticator to provide a base for further 2fa applications.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages