two-factor-auth
google-authenticator
two-factor-auth | google-authenticator | |
---|---|---|
1 | 24 | |
298 | 4,501 | |
- | - | |
0.0 | 0.8 | |
over 1 year ago | over 3 years ago | |
Java | Java | |
ISC License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
two-factor-auth
-
How does Google Authenticator work?
It's really easy to integrate into websites as well. I did so a few years ago. The TOTP algorithm is just a few lines of code. I adapted this implementation https://github.com/j256/two-factor-auth at the time. There are similar libraries available for lots of languages.
You need a library like that and a way to convert an otp:// url into a QR code, for which there are many libaries as well. The rest is just implementing a sane UX around this. Storing the user's TOTP secret server side is a bit tricky. I suspect a plain text field in a database is quite common for this; which of course would be disastrous if that database were ever stolen. Secret stores don't scale for this as they tend to be designed for just a handful of secrets. We ended up encrypting these totp secrets using a key from our secret store.
google-authenticator
-
GitHub will disable non-2FA accounts?
otpauth:// is a de-factor standard, since Google Authenticator uses it: https://github.com/google/google-authenticator/wiki/Key-Uri-...
-
Creating 2fa with pyotp
Random question if you're using TOTP why not just give the user the secret when signing up as a Google Authenticator URI encoded in a QR code? Then you won't need to futz around with sending it to them afterwards. You can even use a library like qrcode.js so you don't generate the barcode server side either.
- why are all the totp secrets different styles?
-
Locker: Store secrets on your local file system.
Locker can generate Time Based OTP codes parsing TOTP urls stored under a special key named totp.
-
Does changing an email that has TOTP setup affect the "secret"?
(Examples> https://github.com/google/google-authenticator/wiki/Key-Uri-Format)
- Google Authenticator open source fork archived
- TOTP tokens on my wrist with the smartest dumb watch
- LastPass gehackt, Nutzerdaten aber anscheinend sicher
- Is google authenticator Private & Secure (Trustworthy) enough to be used for 2StepVerification?
-
Twilio, the people who own Authy, got hacked
If we're talking about the encrypted Authy TOTP secrets and IF they get cracked or guessed, Authy does store the email in the name of the item. Having the name, service and the secret within the QR code's URI is normal and the standard for TOTP. The only thing the hackers won't have is the password.
What are some alternatives?
Aegis - A free, secure and open source app for Android to manage your 2-step verification tokens.
pass-otp - A pass extension for managing one-time-password (OTP) tokens
pyotp - Python One-Time Password Library
ios-application - A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
keepassxc - KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
andOTP - [Unmaintained] Open source two-factor authentication for Android
strongbox - A secret manager for AWS
otp-codegen - Takes your OTP secret in and spits out the 6 digit OTP code