All Projects → philnash → crotp

philnash / crotp

Licence: MIT license
CrOTP - One Time Passwords for Crystal

Programming Languages

crystal
512 projects

Projects that are alternatives of or similar to crotp

otp-java
A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).
Stars: ✭ 107 (+72.58%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
Onetimepassword
🔑 A small library for generating TOTP and HOTP one-time passwords on iOS.
Stars: ✭ 243 (+291.94%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
2FAuth
A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
Stars: ✭ 664 (+970.97%)
Mutual labels:  otp, totp, hotp, two-factor-authentication, 2fa
Otp.net
A .NET implementation of TOTP and HOTP for things like two-factor authentication codes.
Stars: ✭ 424 (+583.87%)
Mutual labels:  otp, totp, two-factor-authentication, 2fa
Otplib
🔑 One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator
Stars: ✭ 916 (+1377.42%)
Mutual labels:  otp, hotp, two-factor-authentication, 2fa
Freeotpplus
Enhanced fork of FreeOTP-Android providing a feature-rich 2FA authenticator
Stars: ✭ 223 (+259.68%)
Mutual labels:  otp, totp, hotp, 2fa
apache 2fa
Apache two-factor (2FA) authentication with Google Authenticator based on Time-based One-Time Password (TOTP) or HMAC-based one-time password (HOTP) Algorithms.
Stars: ✭ 63 (+1.61%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
One Time
One Time Password (TOTP and HOTP) library for Clojure. TOTP/HOTP is widely used for Two Factor / Multi Factor Authentication.
Stars: ✭ 129 (+108.06%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
Authenticatorpro
📱 Two-Factor Authentication (2FA) client for Android + Wear OS
Stars: ✭ 155 (+150%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
rx-otp
HMAC-based (HOTP) and Time-based (TOTP) One-Time Password manager. Works with Google Authenticator for Two-Factor Authentication.
Stars: ✭ 79 (+27.42%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
Twofactor totp
🔑 Second factor TOTP (RFC 6238) provider for Nextcloud
Stars: ✭ 203 (+227.42%)
Mutual labels:  otp, totp, two-factor-authentication, 2fa
Java Otp
A one-time password (HOTP/TOTP) library for Java
Stars: ✭ 265 (+327.42%)
Mutual labels:  totp, hotp, two-factor-authentication, 2fa
Otpauth
One Time Password (HOTP/TOTP) library for Node.js, Deno and browsers.
Stars: ✭ 135 (+117.74%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
Andotp
Open source two-factor authentication for Android
Stars: ✭ 3,326 (+5264.52%)
Mutual labels:  otp, totp, hotp, two-factor-authentication
Aegis
A free, secure and open source app for Android to manage your 2-step verification tokens.
Stars: ✭ 2,692 (+4241.94%)
Mutual labels:  otp, totp, hotp, 2fa
Otphp
🔐 A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP)
Stars: ✭ 857 (+1282.26%)
Mutual labels:  otp, totp, hotp
Jsotp
Javascript One-Time Password module.
Stars: ✭ 71 (+14.52%)
Mutual labels:  otp, totp, hotp
Privacyidea
🔐 multi factor authentication system (2FA, MFA, OTP Server)
Stars: ✭ 1,027 (+1556.45%)
Mutual labels:  otp, two-factor-authentication, 2fa
Multiotp
multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
Stars: ✭ 173 (+179.03%)
Mutual labels:  otp, totp, hotp
Glewlwyd
Single Sign On server, OAuth2, Openid Connect, multiple factor authentication with, HOTP/TOTP, FIDO2, TLS Certificates, etc. extensible via plugins
Stars: ✭ 292 (+370.97%)
Mutual labels:  otp, totp, hotp

CrOTP

The Crystal One Time Password library. Use this to generate HOTP or TOTP codes for two factor authentication.

Build Status

Table of Contents

Installation

Add this to your application's shard.yml:

dependencies:
  crotp:
    github: philnash/crotp

Usage

HOTP

require "crotp"

hotp = CrOTP::HOTP.new("secret")
counter = 1

# Generate a token
token = hotp.generate(counter)
# => "533881"

# Verify code
result = hotp.verify(token, counter)
# => true

TOTP

require "crotp"

totp = CrOTP::TOTP.new("secret")

# Generate a code at a specific time stamp (by default, #generate will make a
# code using Time.now)
token = totp.generate(at: 1484007247)
# => "020567"

# Verify code at a specific time stamp
result = totp.verify(token, at: 1484007247)
# => true

# Verify code at different time stamp, with allowed drift
result = totp.verify(token, at: 1484007299, allowed_drift: 1)
# => true

# Verify code at different time stamp, outside allowed drift
result = totp.verify(token, at: 1484007300, allowed_drift: 1)
# => false

TOTP hashing algorithms

According to RFC 6238 section 1.2:

TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in RFC4226.

To use either SHA-256 or SHA-512 as the hashing function, initialise your CrOTP::TOTP object with the algorithm you want:

require "crotp"

totp = CrOTP::TOTP.new("secret", algorithm: OpenSSL::Algorithm::SHA512)

Note: authenticator applications may ignore the algorithm parameter when you encode your secret in a URL/QR code as below.

Authenticator applications

To share secrets with an authenticator application, like Authy or Google Authenticator you need a URI that you can share as a QR code. The implementation details for the URI are in the Google Authenticator wiki.

Here is how you can get the URI and, in case your user can't scan the code, the base 32 representation of the secret.

HOTP

# For HOTP you need the initial counter and an issuer
puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app")
# => otpauth://hotp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app

# You can add a user account detail too, normally an email address or username, that shows up in the authenticator app
puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app", user: "[email protected]")
# => otpauth://hotp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app

TOTP

# For TOTP you only need an issuer
puts totp.authenticator_uri(issuer: "Test app")
# => otpauth://totp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app

# You can add a user detail here too
puts totp.authenticator_uri(issuer: "Test app", user: "[email protected]")
# => otpauth://totp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app

Base 32 secret

puts hotp.base32_secret
# => ONSWG4TFOQ

puts totp.base32_secret
# => ONSWG4TFOQ

You can see and run these examples and more in example/crotp.cr.

Todo

  • Basic HOTP and TOTP generation and verification
  • Rewrite int_to_bytes and extract from CrOTP::OTP
  • Verifying a token over a window of counters/time
  • Google Authenticator otpauth URI generation
  • Ability to choose algorithm (currently only sha1)
  • Ability to choose size of period in TOTP
  • Example application using Kemal
  • Much more documentation

Running the project locally

First clone the project:

git clone https://github.com/philnash/crotp.git
cd crotp

Run the tests with:

crystal spec

Contributing

  1. Fork it ( https://github.com/philnash/crotp/fork )
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create a new Pull Request

License

This code is available as open source under the terms of the MIT License.

Contributors

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].