Skip to content

Two factor authentication

Jump to bottom
Mark Samman edited this page Apr 20, 2016 · 1 revision

Two factor authentication adds another layer of security to an account. A pseudo-random token based on time and a secret is generated and must be input for a login to be valid, as an additional ephemeral password.

A secret is a 10 character, Base32 (RFC 3548) encoded string, thus resulting in 16 characters. This secret is shared only between the server and the account owner, generally hidden in a QR code that is read by a tool such as Google Authenticator or Authy, which will generate the tokens.

This secret is NOT created by the server, but rather should be generated by whatever you use to create accounts (i.e. your AAC). To generate the secret, simply generate 16 characters from the Base32 alphabet from the RFC mentioned above. Example given, in Lua:

-- prologue
local alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'

-- generating secret
function generateSecret()
    local output = {}
    for i = 1, 16 do
        local digit = math.random(1, alphabet:len())
        output[i] = alphabet:sub(digit, digit)
    end
    return table.concat(output)
end

You should store this secret in the secret column of the account table, and this column will be created automatically on server startup if you have older database version.

That said, you need to generate an otpauth:// URL that will be converted to a QR code or handled straight to the user (consider giving this option for power users). Generate the URL as following:

local url = 'otpauth://totp/%s:%s?secret=%s&issuer=%s'
function generateURL(accountName, serverName)
    local secret = generateSecret()
    return url:format(serverName, accountName, secret, serverName)
end

Provide account name and server name accordingly. You can also pass the owner name or email as the last parameter (issuer). It will generate an URL like this:

otpauth://totp/Forgotten:ranisalt?secret=FQRBV6IAOR4NQECI&issuer=Forgotten

And it can be converted into a QR code using whatever tools your language or framework provides. Show it to the user so he can add to a token generator and use the token.

https://imgur.com/vatNyuz

DON'T FORGET that users might lose their token generator. Provide a way to log in without using a token (such as one-time use tokens that disable secret) so people don't lose accounts for being clumsy.

Clone this wiki locally