All Projects β†’ yeojz β†’ Otplib

yeojz / Otplib

Licence: mit
πŸ”‘ One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator

Programming Languages

32286 projects

Projects that are alternatives of or similar to Otplib

One Time Password (HOTP/TOTP) library for Node.js, Deno and browsers.
Stars: ✭ 135 (-85.26%)
Mutual labels:  otp, two-factor-authentication, authenticator, hotp, two-factor, browser
A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes
Stars: ✭ 664 (-27.51%)
Mutual labels:  otp, two-factor, hotp, two-factor-authentication, 2fa
πŸ”‘ A small library for generating TOTP and HOTP one-time passwords on iOS.
Stars: ✭ 243 (-73.47%)
Mutual labels:  otp, 2fa, two-factor-authentication, hotp
Enhanced fork of FreeOTP-Android providing a feature-rich 2FA authenticator
Stars: ✭ 223 (-75.66%)
Mutual labels:  otp, 2fa, authenticator, hotp
A free, secure and open source app for Android to manage your 2-step verification tokens.
Stars: ✭ 2,692 (+193.89%)
Mutual labels:  otp, 2fa, authenticator, hotp
CrOTP - One Time Passwords for Crystal
Stars: ✭ 62 (-93.23%)
Mutual labels:  otp, hotp, two-factor-authentication, 2fa
A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).
Stars: ✭ 107 (-88.32%)
Mutual labels:  otp, hotp, two-factor-authentication, 2fa
Twofactor totp
πŸ”‘ Second factor TOTP (RFC 6238) provider for Nextcloud
Stars: ✭ 203 (-77.84%)
Mutual labels:  otp, 2fa, two-factor-authentication, two-factor
apache 2fa
Apache two-factor (2FA) authentication with Google Authenticator based on Time-based One-Time Password (TOTP) or HMAC-based one-time password (HOTP) Algorithms.
Stars: ✭ 63 (-93.12%)
Mutual labels:  two-factor, hotp, two-factor-authentication, 2fa
πŸ“± Two-Factor Authentication (2FA) client for Android + Wear OS
Stars: ✭ 155 (-83.08%)
Mutual labels:  2fa, two-factor-authentication, authenticator, hotp
πŸ” multi factor authentication system (2FA, MFA, OTP Server)
Stars: ✭ 1,027 (+12.12%)
Mutual labels:  otp, 2fa, two-factor-authentication, two-factor
Time-Based One-Time Password Code Generator
Stars: ✭ 76 (-91.7%)
Mutual labels:  two-factor, authenticator, two-factor-authentication, 2fa
Generating 2FA codes in your terminal
Stars: ✭ 23 (-97.49%)
Mutual labels:  two-factor, two-factor-authentication, 2fa
Java Otp
A one-time password (HOTP/TOTP) library for Java
Stars: ✭ 265 (-71.07%)
Mutual labels:  2fa, two-factor-authentication, hotp
Open source two-factor authentication for Android
Stars: ✭ 3,326 (+263.1%)
Mutual labels:  otp, two-factor-authentication, hotp
Google Authenticator
Stars: ✭ 20 (-97.82%)
Mutual labels:  two-factor, authenticator, two-factor-authentication
Two Factor Auth
Generate 2FA tokens compatible with Google Authenticator
Stars: ✭ 352 (-61.57%)
Mutual labels:  2fa, two-factor-authentication, two-factor
HMAC-based (HOTP) and Time-based (TOTP) One-Time Password manager. Works with Google Authenticator for Two-Factor Authentication.
Stars: ✭ 79 (-91.38%)
Mutual labels:  otp, hotp, two-factor-authentication
A .NET implementation of TOTP and HOTP for things like two-factor authentication codes.
Stars: ✭ 424 (-53.71%)
Mutual labels:  otp, 2fa, two-factor-authentication
Yubikey Manager Qt
Cross-platform application for configuring any YubiKey over all USB interfaces.
Stars: ✭ 137 (-85.04%)
Mutual labels:  otp, 2fa, hotp


Time-based (TOTP) and HMAC-based (HOTP) One-Time Password library

npm Build Status Coverage Status npm downloads TypeScript Support


otplib is a JavaScript One Time Password (OTP) library for OTP generation and verification.

It implements both HOTP - RFC 4226 and TOTP - RFC 6238, and are tested against the test vectors provided in their respective RFC specifications. These datasets can be found in the tests/data folder.

This library is also compatible with Google Authenticator, and includes additional methods to allow you to work with Google Authenticator.


  • Typescript support
  • Class interfaces
  • Function interfaces
  • Async interfaces
  • Pluggable modules (crypto / base32)
    • crypto (node)
    • crypto-js
    • @ronomon/crypto-async
    • thirty-two
    • base32-encode + base32-decode
  • Presets provided
    • browser
    • default (node)
    • default-async (same as default, but with async methods)
    • v11 (adapter for previous version)

Quick Start

If you need to customise your base32 or crypto libraries, check out the In-Depth Guide and Available Packages

In Node.js

npm install otplib --save
import { authenticator } from 'otplib';

// Alternative:
// const secret = authenticator.generateSecret();
// Note: .generateSecret() is only available for authenticator and not totp/hotp

const token = authenticator.generate(secret);

try {
  const isValid = authenticator.check(token, secret);
  // or
  const isValid = authenticator.verify({ token, secret });
} catch (err) {
  // Possible errors
  // - options validation
  // - "Invalid input - it is not base32 encoded string" (if thiry-two is used)

Please replace "authenticator" with "totp" or "hotp" depending on your requirements.

// For TOTP
import { totp } from 'otplib';
const token = totp.generate(secret);
const isValid = totp.check(token, secret);
const isValid = totp.verify({ token, secret });

// For HOTP
import { hotp } from 'otplib';
const token = hotp.generate(secret, counter);
const isValid = hotp.check(token, secret, counter);
const isValid = hotp.verify({ token, secret, counter });

For all available APIs, please refer to API Documentation.

In Browser

The browser preset is a self-contained umd module, and it is provided in a separate bundle.

npm install @otplib/preset-browser --save

The following is an example, where we are using the scripts hosted by

<script src="[email protected]^12.0.0/buffer.js"></script>
<script src="[email protected]^12.0.0/index.js"></script>

<script type="text/javascript">
  // window.otplib.authenticator
  // window.otplib.hotp
  // window.otplib.totp

For more details, please refer to the @otplib/preset-browser documentation.


API / Demo Website

Version Links
v12.x Website / API / Readme
v11.x API / Readme
v10.x and below Available via git history


This library follows semver. As such, major version bumps usually mean API changes or behavior changes. Please check upgrade notes for more information, especially before making any major upgrades.

To simplify releases, all packages within this repository have their versions synced. Therefore, if there are any releases or updates to a package, we will bump all packages.

Check out the release notes associated with each tagged versions in the releases page.

Release Type Version Pattern Command
Current / Stable 0.0.0 npm install otplib npm
Release Candidate 0.0.0-0 npm install [email protected] npm

Migrating from v11.x

v12.x is a huge architectural and language rewrite. Please check out the docs if you are migrating. A preset adapter is available to provide methods that behave like v11.x of otplib.

// Update
import { authenticator } from 'otplib'; // v11.x
// to
import { authenticator } from '@otplib/preset-v11';

// There should be no changes to your current code.
// However, deprecated or modified class methods will have console.warn.

Available Options

All instantiated classes will have their options inherited from their respective options generator. i.e. HOTP from hotpOptions, TOTP from totpOptions and Authenticator from authenticatorOptions.

All OTP classes have an object setter and getter method to override these default options.

For example,

import { authenticator, totp, hotp } from 'otplib';

// setting
authenticator.options = { digits: 6 };
totp.options = { digits: 6 };
hotp.options = { digits: 6 };

// getting
const opts = authenticator.options;
const opts = totp.options;
const opts = hotp.options;

// reset to default

// getting all options, with validation
// and backfilled with library defaults
const opts = authenticator.allOptions();
const opts = totp.allOptions();
const opts = hotp.allOptions();

HOTP Options

Option Type Description
algorithm string The algorithm used for calculating the HMAC.
createDigest function Creates the digest which token is derived from.
createHmacKey function Formats the secret into a HMAC key, applying transformations (like padding) where needed.
digest string USE WITH CAUTION. Same digest = same token.
Used in cases where digest is generated externally. (eg: async use cases)
digits integer The length of the token.
encoding string The encoding that was used on the secret.
// HOTP defaults
  algorithm: 'sha1'
  createDigest: undefined, // to be provided via a @otplib/plugin-*
  createHmacKey: hotpCreateHmacKey,
  digits: 6,
  encoding: 'ascii',

TOTP Options

Note: Includes all HOTP Options

Option Type Description
epoch integer USE WITH CAUTION. Same epoch = same token.
Starting time since the UNIX epoch (seconds).
Epoch is JavaScript formatted. i.e. or UNIX time * 1000
step integer Time step (seconds)
window integer,
[number, number]
Tokens in the previous and future x-windows that should be considered valid.
If integer, same value will be used for both.
Alternatively, define array: [past, future]
// TOTP defaults
  // ...includes all HOTP defaults
  createHmacKey: totpCreateHmacKey,
  step: 30,
  window: 0,

Authenticator Options

Note: Includes all HOTP + TOTP Options

Option Type Description
createRandomBytes function Creates a random string containing the defined number of bytes to be used in generating a secret key.
keyEncoder function Encodes a secret key into a Base32 string before it is sent to the user (in QR Code etc).
keyDecoder function Decodes the Base32 string given by the user into a secret.
// Authenticator defaults
  // ...includes all HOTP + TOTP defaults
  encoding: 'hex',
  createRandomBytes: undefined, // to be provided via a @otplib/plugin-*
  keyEncoder: undefined, // to be provided via a @otplib/plugin-*
  keyDecoder: undefined, // to be provided via a @otplib/plugin-*


Type Definitions

TypeScript support was introduced in v10.0.0, which added type definitions over .js files.

As of v12.0.0, the library has been re-written in Typescript from the ground up.

Async Support

async support was introduced in v12.0.0 as an additional core library.

This was added as some libraries like or even the browser API (window.Crypto.subtle) started providing only async methods.

You to find more details in the core-async folder.

Browser Compatiblity

@otplib/preset-browser is a umd bundle with some node modules replaced to reduce the browser size.

The approximate size for the optimised, minified + gzipped bundle is 9.53KB. Paired with the gzipped browser buffer.js module, it would be about 7.65KB + 9.53KB = 17.18KB.

For more details, please refer to the @otplib/preset-browser documentation.

Length of Secrets

In RFC 6238, the secret / seed length for different algorithms are predefined:

HMAC-SHA1 - 20 bytes
HMAC-SHA256 - 32 bytes
HMAC-SHA512 - 64 bytes

As such, the length of the secret provided (after any decoding) will be padded and sliced according to the expected length for respective algorithms.

Google Authenticator

Difference between Authenticator and TOTP

The default encoding option has been set to hex (Authenticator) instead of ascii (TOTP).

RFC3548 Base32

Note: RFC4648 obseletes RFC 3548. Any encoders following the newer specifications will work.

Google Authenticator requires keys to be base32 encoded. It also requires the base32 encoder to be RFC 3548 compliant.

OTP calculation will still work should you want to use other base32 encoding methods (like Crockford's Base32) but it will NOT be compatible with Google Authenticator.

const secret = authenticator.generateSecret(); // base32 encoded hex secret key
const token = authenticator.generate(secret);

Displaying a QR code

You may want to generate and display a QR Code so that users can scan instead of manually entering the secret. Google Authenticator and similar apps take in a QR code that holds a URL with the protocol otpauth://, which you get from authenticator.keyuri.

Google Authenticator will ignore the algorithm, digits, and step options. See the keyuri documentation for more information.

If you are using a different authenticator app, check the documentation for that app to see if any options are ignored, which will result in invalid tokens.

While this library provides the "otpauth" uri, you'll need a library to generate the QR Code image.

An example is shown below:

// npm install qrcode
import qrcode from 'qrcode';
import { authenticator } from '@otplib/preset-default';

const user = 'A user name, possibly an email';
const service = 'A service name';

// v11.x and above
const otpauth = authenticator.keyuri(user, service, secret);

// v10.x and below
const otpauth = authenticator.keyuri(

qrcode.toDataURL(otpauth, (err, imageUrl) => {
  if (err) {
    console.log('Error with QR');

Note: For versions v10.x and below, keyuri does not URI encode user and service. You'll need to do so before passing in the parameteres.

Getting Time Remaining / Time Used

Helper methods for getting the remaining time and used time within a validity period of a totp or authenticator token were introduced in v10.0.0.

authenticator.timeUsed(); // or totp.timeUsed();
authenticator.timeRemaining(); // or totp.timeRemaining();

// The start of a new token would be when:
// - timeUsed() === 0
// - timeRemaining() === step

Using with Expo

Expo contains modified crypto implmentations targeted at the platform. While otplib does not provide an expo specified package, with the re-architecture of otplib, you can now provide an expo native createDigest to the library.

Alternatively, you can make use of crypto provided by @otplib/plugin-crypto-js or the bundled browser umd module @otplib/preset-browser.

Pull Requests are much welcomed for a native expo implementation as well.

Exploring with local-repl

If you'll like to explore the library with local-repl you can do so as well.

# after cloning the repo:
npm run setup
npm run build
npx local-repl
# You should see something like:
# Node v8.9.4, local-repl 4.0.0
# otplib 10.0.0
# Context: otplib
# [otplib] >

[otplib] > otplib.authenticator.generate(secret)

OTP Backup Codes

It is common for services to also provide a set of backup codes to authenticate and bypass the OTP step in the event that you are not able to access your 2FA device or have misplaced the device.

As this process is separate from the specifications for OTP, this library does not provide any backup code related verification logic, and thus would have to be implemented separately.

ECMAScript Modules

Node.js 12 introduced ECMAScript modules support behind the --experimental-modules flag, while Node.js v13 onwards shipped with it enabled by default.

As the feature is still listed as experimental, the packages in this project will continue to be released only in commonjs format for stability. Once the feature moves out of experimental status, we will look to support it.

At the moment, examples in the documentation assumes the use of transpilers (eg: babel). If you are using the Node's experimental import feature, some tweaks to the examples will be needed.

// If the example shows:
import { authenticator } from 'otplib';

// Then for:
// node 12 --experimental-modules
// node 13 onwards
// use the following:
import otplib from 'otplib';

const { authenticator } = otplib;


Thanks goes to these wonderful people (emoji key):

Gerald Yeo
Gerald Yeo

πŸ’» πŸ“– 🚧 ⚠️
Oliver Schneider
Oliver Schneider

Marc-Aurèle DARCHE
Marc-Aurèle DARCHE

Ahmed Hamdy (@shakram02)
Ahmed Hamdy (@shakram02)

Tony Brix
Tony Brix

πŸ’» πŸ“–


This project follows the all-contributors specification. Contributions of any kind welcome!


otplib is MIT licensed

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].