I have written an implementation of google authenticator as described here: https://en.wikipedia.org/wiki/Google_Authenticator
Now my only question is: how can I check whether the 6 digit codes my program generates are correct? I haven't been able to find any web demo for developers at google itself. Elsewhere on the web I found these:
http://blog.tinisles.com/2011/10/google-authenticator-one-time-password-algorithm-in-javascript/
My codes agree with none of these. The first one may be using a wrong time. I don't know about the second one. Is there such an implementation online that is known to be correct?
My implementation uses the 32 bit unix time as message. I have checked with sources on the web that the time I generate is correct. I have remembered to use big endian. I have checked my hmac_sha1 function and it's correct. The hash generated is 20 byte. As I understand the low order nibble of the last byte is the offset, right? Then the truncated hash is the 4 bytes starting at this offset, interpreted as a bigendian 32 bit integer, albeit with the MSB zeroed. Am I right? Finally you use this modulo 1 million as a 6 digit decimal integer, yes?
The secret key is entered as a base32 string and must be decoded. I have checked that my decoding function is correct.
What can I be doing wrong? Or maybe I'm not doing anything wrong? How to find out? I could open an account with google and configure it to use 2FA and then see if I can log in with my own codes etc, but it's very tedious and I would soon be blocked if my codes are wrong.
Aucun commentaire:
Enregistrer un commentaire