OTP Auth

OTP means One-Time Password, used for 2 factor authentication

HOTP: HMAC-Based One-Time Password Algorithm
TOTP: Time-Based One-Time Password Algorithm
npm package: notp
npm package: otpauth

Example

The following example is from npm package: otpauth.

import * as OTPAuth from "otpauth";

// Create a new TOTP object.
let totp = new OTPAuth.TOTP({
  issuer: "ACME",
  label: "AzureDiamond",
  algorithm: "SHA1",
  digits: 6,
  period: 30,
  secret: "NB2W45DFOIZA", // or 'OTPAuth.Secret.fromBase32("NB2W45DFOIZA")'
});

// Generate a token.
let token = totp.generate();
console.log(token);
// Validate a token.
let delta = totp.validate({
  token: token,
  window: 1,
});
console.log(delta);

// Convert to Google Authenticator key URI:
//   otpauth://totp/ACME:AzureDiamond?issuer=ACME&secret=NB2W45DFOIZA&algorithm=SHA1&digits=6&period=30
let uri = totp.toString(); // or 'OTPAuth.URI.stringify(totp)'
console.log(uri);
// Convert from Google Authenticator key URI.
let parsedTotp = OTPAuth.URI.parse(uri);

console.log(parsedTotp);

The uri can be converted to a QR code, and scanned by an authenticator app.

The uri contains every parameter, including secret, which can be used to generate a token.

TOTP

TOTP is the QR code you scanned for two-factor auth, to provide security beyond password, based on the time token is generated (current time), updated every 30 seconds.

From the code above, you can see that, a secret is provided. The secret is shared between client and server (db).

Explanation by ChatGPT:

TOTP (Time-based One-Time Password) is a two-factor authentication method that generates a one-time password (OTP) based on a shared secret key and the current time. The algorithm uses the Unix time in seconds to calculate the OTP, which changes every 30 seconds. The user and the authentication system both have the same shared secret key, so when the user provides the OTP, the authentication system can calculate the expected OTP and compare it to the one provided by the user. If they match, the user is authenticated.
The secret key used in TOTP can be generated in several ways:

Manually: The secret key can be manually generated by the user or the authentication system administrator and then shared between the two parties.
QR code: A QR code containing the secret key can be generated by the authentication system and scanned by the user using a smartphone camera. This is a common method for setting up TOTP on mobile devices.
Key provisioning protocol: A key provisioning protocol such as HOTP (HMAC-based One-Time Password) can be used to securely transfer the secret key from the authentication system to the user.

Once the secret key has been generated and shared, it should be securely stored by both the user and the authentication system. The secret key is used to generate the one-time passwords, so it is critical that it is kept confidential and protected against unauthorized access.

Usage

So, in practice,

Generation Procedure

The server will generate a secret randomly
Generate the otpauth://totp url
Send to client and display as QR code
Client scans and save the code.

Verification Procedure

Auth app generates token with saved info (refreshed periodically)
Upload to server
Server verify the token with secret saved in DB

HOTP

TODO

Example​

TOTP​

Usage​

Generation Procedure​

Verification Procedure​

HOTP​