google-auth-totp 0.x
This Node.js API implements the same exact Time-base One-Time Passwords (TOTP) algorithm used by the Google Authenticator to generate two-factor authentication (2FA) tokens on your phone.
I have decided to write this API in the simplest possible way so that you can easily understand the logic of it.
Core idea:
The client has installed in her (Android or IPhone) phone the Google Authenticator app.
The server provides a QR Code (containing a secret) to the client that is scanned into the Google Authenticator app - (Registration phase).
The Google Authenticator app generates every 30 seconds a new 6 digits code that the server can verify. So, the client can use this 6 digits code to authenticate with the server - (Authentication phase).
Algorithm details:
A secret is generated by the server as a 10 bytes random base-32 string (i.e. a string with 16 base-32 characters). This secret is passed to the client in the registration phase within a QR Code. The client’s Google Authenticator app scans the QR code and stores the secret in the client’s phone.
A message is calculate by counting the number of 30-second intervals from Unix epoch. So for example, if the current epoch time in seconds is 1,489,152,311 than 49,638,410 30-seconds intervals have passed from Unix epoch ( round(1,489,152,311/30) ).
The secret and the message are inserted into a SHA1 HMAC function and the output value is converted with bitwise operations to a 6 digits code.
At any point both client and server can authenticate with the same 6 digit code because they have already shared the secret and can easily calculate the message on their own.
How to use:
In your CLI:
$ npm clone https://github.com/gfiocco/google-auth-totp.git
$ cd google-auth-totp
$ node index
Then navigate in your browser http://localhost:3000 to see the QR code.
Use the Google Authenticator app of your phone to scan the QR code.
The Google Authenticator app of your phone and your CLI will display the same 6 digit code every 30 seconds.