Using the algorithm provided in RFC 4226, can generate and verify HMAC-based one-time password (HOTP) and time-based one-time password (TOTP).
- Generate base-32 encoded secrets.
- Generate HMAC-based one-time passwords (HOTP) at a specific length.
- Generate time-based HOTPs at a specific amount of windows.
- Verify generated tokens.
For each account, a secret must be generated and shared between the server and the client. This secret will be used to create and verify HOTPs.
const secret = twoFA.generateSecret();
HOTP requires a base32-encoded secret and a counter with time-step.
// Generate base32 secret
const secret = twoFA.generateSecret();
// Create counter with 30 seconds interval
const counter = Math.floor(Date.now() / 30000);
const hotp = twoFA.generateHOTP(secret, counter, 6)
Generating TOTP allows you to get a HOTP in a specific time window.
const secret = twoFA.generateSecret();
// Get the current time window's token
const currentTotp = twoFA.generateTOTP(secret, 0);
// Get the future time window's token (1 window ahead)
const futureTotp = twoFA.generateTOTP(secret, 1);
// Get the past time window's token (1 window behind)
const pastTotp = twoFA.generateTOTP(secret, -1);
Verify tokens supplied via user input.
function verifyHOTP(inputToken) {
const secret = twoFA.generateSecret();
const counter = Math.floor(Date.now() / 30000);
// Actual token generated by the server
const actualToken = twoFA.generateHOTP(secret, counter)
if (inputToken === actualToken) return true;
return false
}
Verify tokens supploed via user input with a time tolerance.
const secret = twoFA.generateSecret();
const inputToken = '111111';
/* This will return true if the input token
- is currently valid,
- was previously valid in the last window,
- will be valid in the next window.
*/
const isTokenValid = twoFA.verifyTOTP(inputToken, secret, 1);
- Boran Seckin
This project is licensed under the MIT License - see the LICENSE file for details.