Our great sponsors
-
ios-application
A native, lightweight and secure one-time-password (OTP) client built for iOS; Raivo OTP!
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
google-authenticator
Discontinued Open source version of Google Authenticator (except the Android app)
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
two-factor-auth
Two Factor Authentication Java code implementing the Time-based One-time Password Algorithm
There is also Aegis[1]. It's FOSS and available in F Droid and Play Store. Authy is pretty good, but doesn't support export of the secrets used for TOTP, whereas Aegis supports export to json and GPG encrypted json.
I've been using Authy for a few years, but switched to Aegis about three years ago and couldn't be happier. Since Authy doesn't support direct export of the secrets, I've had to use a workaround [2].
[1] https://getaegis.app/
To add something about this app, I know that people understand “open source” to mean different things. In the case of Raivo, app is a “source available” one. It’s not FOSS.
The license [1] says:
> Modification, duplication or distribution of this Service (in source and binary forms) for any purpose is strictly prohibited.
[1]: https://github.com/raivo-otp/ios-application/blob/master/LIC...
If you're using pass already you could use their OTP plugin:
https://github.com/tadfisher/pass-otp
That gives you "pass otp github.com", etc. You can also export the QRcode, and do similar things.
I put together a simple distribution of pass with a couple of plugins I use, including otp, which is easy to setup - just clone beneath `/opt/pass`:
https://github.com/skx/pass
https://github.com/google/google-authenticator/wiki/Key-Uri-...
That's the format that gets encoded into the QR code. If you can decode the QR code you can get the secret key easily.
You can also roll your own with https://github.com/pyauth/pyotp
Also, KeePassXC[0] (a password manager) has integrated TOTP, which is very handy.
[0] https://keepassxc.org/
If you're using pass already you could use their OTP plugin:
https://github.com/tadfisher/pass-otp
That gives you "pass otp github.com", etc. You can also export the QRcode, and do similar things.
I put together a simple distribution of pass with a couple of plugins I use, including otp, which is easy to setup - just clone beneath `/opt/pass`:
https://github.com/skx/pass
It's really easy to integrate into websites as well. I did so a few years ago. The TOTP algorithm is just a few lines of code. I adapted this implementation https://github.com/j256/two-factor-auth at the time. There are similar libraries available for lots of languages.
You need a library like that and a way to convert an otp:// url into a QR code, for which there are many libaries as well. The rest is just implementing a sane UX around this. Storing the user's TOTP secret server side is a bit tricky. I suspect a plain text field in a database is quite common for this; which of course would be disastrous if that database were ever stolen. Secret stores don't scale for this as they tend to be designed for just a handful of secrets. We ended up encrypting these totp secrets using a key from our secret store.