* Initialized basic outline of TOTP backend using Postgresql backend as template * Updated TOTP backend.go's structure and help string * Updated TOTP path_roles.go's structure and help strings * Updated TOTP path_role_create.go's structure and help strings * Fixed typo in path_roles.go * Fixed errors in path_role_create.go and path_roles.go * Added TOTP secret backend information to cli commands * Fixed build errors in path_roles.go and path_role_create.go * Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords * Initialized TOTP test file based on structure of postgresql test file * Added enforcement of input values * Added otp library to vendor folder * Added test steps and cleaned up errors * Modified read credential test step, not working yet * Use of vendored package not allowed - Test error * Removed vendor files for TOTP library * Revert "Removed vendor files for TOTP library" This reverts commit fcd030994bc1741dbf490f3995944e091b11da61. * Hopefully fixed vendor folder issue with TOTP Library * Added additional tests for TOTP backend * Cleaned up comments in TOTP backend_test.go * Added default values of period, algorithm and digits to field schema * Changed account_name and issuer fields to optional * Removed MD5 as a hash algorithm option * Implemented requested pull request changes * Added ability to validate TOTP codes * Added ability to have a key generated * Added skew, qr size and key size parameters * Reset vendor.json prior to merge * Readded otp and barcode libraries to vendor.json * Modified help strings for path_role_create.go * Fixed test issue in testAccStepReadRole * Cleaned up error formatting, variable names and path names. Also added some additional documentation * Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes * Added ability to pass in TOTP urls * Added additional tests for TOTP server functions * Removed unused QRSize, URL and Generate members of keyEntry struct * Removed unnecessary urlstring variable from pathKeyCreate * Added website documentation for TOTP secret backend * Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation. * Updated website documentation and added QR example * Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests * Updated API documentation to inlude to exported variable and qr size option * Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
3.5 KiB
otp: One Time Password utilities Go / Golang
Why One Time Passwords?
One Time Passwords (OTPs) are an mechanism to improve security over passwords alone. When a Time-based OTP (TOTP) is stored on a user's phone, and combined with something the user knows (Password), you have an easy on-ramp to Multi-factor authentication without adding a dependency on a SMS provider. This Password and TOTP combination is used by many popular websites including Google, Github, Facebook, Salesforce and many others.
The otp
library enables you to easily add TOTPs to your own application, increasing your user's security against mass-password breaches and malware.
Because TOTP is standardized and widely deployed, there are many mobile clients and software implementations.
otp
Supports:
- Generating QR Code images for easy user enrollment.
- Time-based One-time Password Algorithm (TOTP) (RFC 6238): Time based OTP, the most commonly used method.
- HMAC-based One-time Password Algorithm (HOTP) (RFC 4226): Counter based OTP, which TOTP is based upon.
- Generation and Validation of codes for either algorithm.
Implementing TOTP in your application:
User Enrollment
For an example of a working enrollment work flow, Github has documented theirs, but the basics are:
- Generate new TOTP Key for a User.
key,_ := totp.Generate(...)
. - Display the Key's Secret and QR-Code for the User.
key.Secret()
andkey.Image(...)
. - Test that the user can successfully use their TOTP.
totp.Validate(...)
. - Store TOTP Secret for the User in your backend.
key.Secret()
- Provide the user with "recovery codes". (See Recovery Codes bellow)
Code Generation
- In either TOTP or HOTP cases, use the
GenerateCode
function and a counter ortime.Time
struct to generate a valid code compatible with most implementations. - For uncommon or custom settings, or to catch unlikely errors, use
GenerateCodeCustom
in either module.
Validation
- Prompt and validate User's password as normal.
- If the user has TOTP enabled, prompt for TOTP passcode.
- Retrieve the User's TOTP Secret from your backend.
- Validate the user's passcode.
totp.Validate(...)
Recovery Codes
When a user loses access to their TOTP device, they would no longer have access to their account. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, this is a common problem. For this reason many providers give their users "backup codes" or "recovery codes". These are a set of one time use codes that can be used instead of the TOTP. These can simply be randomly generated strings that you store in your backend. Github's documentation provides an overview of the user experience.
Improvements, bugs, adding feature, etc:
Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)
License
otp
is licensed under the Apache License, Version 2.0