![]() ![]() Hence still today, a lot of websites use the name "Google 2FA" to refer to TOTP. TOTP has been largely popularized by Google and their authentication app "Google Authenticator". This is the second factor: something you have. Hence the user that provides correct pin codes shows that is in possession of the seed (saved on the TOTP app). With this assumption, the TOTP app behaves like a hardware pin code generator. Finally, TOTP assumes that the secret cannot be stolen or copied from the app. Moreover, because of the hashing process the secret cannot be recovered from the generated pin codes. The shared secret is actually a very long string (typically 64 characters) and is hence impossible to memorize. The web application performs the same computation and checks if the value provided by the user matches. When the user must authenticate on the web application, the TOTP app appends a time-based counter to the seed, and hashes this value to produce a short pin code (usually 6 digits). I like to call this secret the seed, because it is conceptually similar to the initial seed of a pseudo random number generator. ![]() The web application creates an initial secret (a very long password), that the user must save in his TOTP app. Time based One Time Password (TOTP) authentication is a variation of HMAC based One Time Password (HOTP) where the source of uniqueness (the counter) is actually a time reference. ![]() In this blog post we see how Time based One Time Password (TOTP) authentication works, and how it can be implemented in a Laravel application. 2-factor authentication is an important protection for a web application. ![]()
0 Comments
Leave a Reply. |