I can't say I recommend my solution, but it works. The 2FA Login plugin enables applications built with Backendless to provide an authentication option where a user can login using the TOTP (Time-based One Time Password) form of two-factor authentication (2FA). This might have been adequate reason to fire me, but I didn't particularly care and I was never caught. I did, and I certainly violated the trust of my employer by doing so. Ideally, you should therefore never even see your secret, and certainly not confine it to memory (or even worse, write it down). A correct code in those cases absolutely require physical control over a key. If, however, the secret is properly installed on a yubikey or similar, then it cannot be recovered, ever. Now, I feel the need to emphasize that this is a horrible solution which circumvents the entire purpose of the TOTP-scheme: If someone installs a key logger on your computer, observes what you type, tortures you, or even just browses through your machine if they get access to it, then they will get the secret - just as if it was a regular password, which is basically what the secret in the above case has been reduced to. We look at Base32, QR codes, and the respective RFCs for. However, if you want it really simple, then you can even do this interactively in the python shell with available libraries: In : import pyotp How does Authy work Whats HOTP and TOTP Whats multi factor Authentication and Two factor 2FA. I tried looking into the Google Authenticator sources and all around the internet really and I find a lot of similarities with my code but I cant really find where im wrong. I use a shared secret generated when I setup Google Authenticator. BUT, to enter this 20 byte secret key into a tool like Google Authenticator is not easy. A token is then extracted from this generated 160-bit HMAC. The private key is used with HMAC-SHA1 to encode the number of seconds since (epoch time counter). As for the one time code, the algorithm for TOTP is fairly simple and can be implemented in C or similar without much hassle. I am currently trying to recreate a Google One Time Password generator. The private key in TOTP should be a 20-byte (160-bit) secret. Most secrets engines must be configured in advance before they can perform their functions. It provides an added layer of security since the ability to generate codes is guarded by policies and the entire process is audited. My secret was just 32 characters, so it was just another password to remember. In this mode, it can replace traditional TOTP generators like Google Authenticator. punch in the key whenever you need a one time code.write a program for TOTP-codes in your favorite language.It wasn't pretty and head of security would have gone ballistic if they got word of it, but fortunately they never did. ![]() I was in a similar situation: My employer required TOTP for some purposes and I refused to acquire a smart phone for this.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |