logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

TOTP-is-easy.md (3447B)

    

  1. ---
  2. title: TOTP for 2FA is incredibly easy to implement. So what's your excuse?
  3. date: 2022-10-18
  4. ---
  6. [Time-based one-time passwords][0] are one of the more secure approaches to 2FA
  7. — certainly much better than SMS. And it's much easier to implement than
  8. SMS as well. The algorithm is as follows:
  10. [0]: https://en.wikipedia.org/wiki/Time-based_one-time_password
  12. 1. Divide the current Unix timestamp by 30
  13. 1. Encode it as a 64-bit big endian integer
  14. 1. Write the encoded bytes to a SHA-1 HMAC initialized with the TOTP shared key
  15. 1. Let offs = hmac[-1] & 0xF
  16. 1. Let hash = decode hmac[offs .. offs + 4] as a 32-bit big-endian integer
  17. 1. Let code = (hash & 0x7FFFFFFF) % 1000000
  18. 1. Compare this code with the user's code
  20. You'll need a little dependency to generate QR codes with the [otpauth:// URL
  21. scheme][1], a little UI to present the QR code and store the shared secret in
  22. your database, and a quick update to your login flow, and then you're good to
  23. go.
  25. [1]: https://github.com/google/google-authenticator/wiki/Key-Uri-Format
  27. Here's the implementation SourceHut uses in Python. I hereby release this code
  28. into the public domain, or creative commons zero, at your choice:
  30. ```python
  31. import base64
  32. import hashlib
  33. import hmac
  34. import struct
  35. import time
  37. def totp(secret, token):
  38.     tm = int(time.time() / 30)
  39.     key = base64.b32decode(secret)
  41.     for ix in range(-2, 3):
  42.         b = struct.pack(">q", tm + ix)
  43.         hm = hmac.HMAC(key, b, hashlib.sha1).digest()
  44.         offset = hm[-1] & 0x0F
  45.         truncatedHash = hm[offset:offset + 4]
  46.         code = struct.unpack(">L", truncatedHash)[0]
  47.         code &= 0x7FFFFFFF
  48.         code %= 1000000
  49.         if token == code:
  50.             return True
  52.     return False
  53. ```
  55. This implementation has a bit of a tolerance added to make clock skew less of an
  56. issue, but that also means that the codes are longer-lived. Feel free to edit
  57. these tolerances if you so desire.
  59. Here's another one written in Hare, also public domain/CC-0.
  61. ```hare
  62. use crypto::hmac;
  63. use crypto::mac;
  64. use crypto::sha1;
  65. use encoding::base32;
  66. use endian;
  67. use time;
  69. // Computes a TOTP code for a given time and key.
  70. export fn totp(when: time::instant, key: []u8) uint = {
  71. 	const now = time::unix(when) / 30;
  72. 	const hmac = hmac::sha1(key);
  73. 	defer mac::finish(&hmac);
  75. 	let buf: [8]u8 = [0...];
  76. 	endian::beputu64(buf, now: u64);
  77. 	mac::write(&hmac, buf);
  79. 	let mac: [sha1::SIZE]u8 = [0...];
  80. 	mac::sum(&hmac, mac);
  82. 	const offs = mac[len(mac) - 1] & 0xF;
  83. 	const hash = mac[offs..offs+4];
  84. 	return ((endian::begetu32(hash)& 0x7FFFFFFF) % 1000000): uint;
  85. };
  87. @test fn totp() void = {
  88. 	const secret = "3N2OTFHXKLR2E3WNZSYQ====";
  89. 	const key = base32::decodestr(&base32::std_encoding, secret)!;
  90. 	defer free(key);
  91. 	const now = time::from_unix(1650183739);
  92. 	assert(totp(now, key) == 29283);
  93. };
  94. ```
  96. In any language, TOTP is just a couple of dozen lines of code even if there
  97. isn't already a library — and there is probably already a library. You
  98. don't have to store temporary SMS codes in the database, you don't have to worry
  99. about phishing, you don't have to worry about SIM swapping, and you don't have
  100. to sign up for some paid SMS API like Twilio. It's more secure and it's trivial
  101. to implement — so implement it already! Please!
  103. ---
  105. **Update 2022-10-19 @ 07:45 UTC**: A reader pointed out that it's important to
  106. have rate limiting on your TOTP attempts, or else a brute force attack can be
  107. effective. Fair point!