CrOTP alternatives and similar shards
Based on the "Algorithms and Data structures" category
Do you think we are missing an alternative of CrOTP or a related project?
The Crystal One Time Password library. Use this to generate HOTP or TOTP codes for two factor authentication.
Table of Contents
- Authenticator applications
- Running the project locally
Add this to your application's
dependencies: crotp: github: philnash/crotp
require "crotp" hotp = CrOTP::HOTP.new("secret") counter = 1 # Generate a token token = hotp.generate(counter) # => "533881" # Verify code result = hotp.verify(token, counter) # => true
require "crotp" totp = CrOTP::TOTP.new("secret") # Generate a code at a specific time stamp (by default, #generate will make a # code using Time.now) token = totp.generate(at: 1484007247) # => "020567" # Verify code at a specific time stamp result = totp.verify(token, at: 1484007247) # => true # Verify code at different time stamp, with allowed drift result = totp.verify(token, at: 1484007299, allowed_drift: 1) # => true # Verify code at different time stamp, outside allowed drift result = totp.verify(token, at: 1484007300, allowed_drift: 1) # => false
TOTP hashing algorithms
According to RFC 6238 section 1.2:
TOTP implementations MAY use HMAC-SHA-256 or HMAC-SHA-512 functions, based on SHA-256 or SHA-512 hash functions, instead of the HMAC-SHA-1 function that has been specified for the HOTP computation in RFC4226.
To use either SHA-256 or SHA-512 as the hashing function, initialise your
CrOTP::TOTP object with the algorithm you want:
require "crotp" totp = CrOTP::TOTP.new("secret", algorithm: OpenSSL::Algorithm::SHA512)
Note: authenticator applications may ignore the algorithm parameter when you encode your secret in a URL/QR code as below.
To share secrets with an authenticator application, like Authy or Google Authenticator you need a URI that you can share as a QR code. The implementation details for the URI are in the Google Authenticator wiki.
Here is how you can get the URI and, in case your user can't scan the code, the base 32 representation of the secret.
# For HOTP you need the initial counter and an issuer puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app") # => otpauth://hotp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app # You can add a user account detail too, normally an email address or username, that shows up in the authenticator app puts hotp.authenticator_uri(initial_counter: 0, issuer: "Test app", user: "firstname.lastname@example.org") # => otpauth://hotp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&counter=0&digits=6&issuer=Test%20app
# For TOTP you only need an issuer puts totp.authenticator_uri(issuer: "Test app") # => otpauth://totp/Test%20app?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app # You can add a user detail here too puts totp.authenticator_uri(issuer: "Test app", user: "email@example.com") # => otpauth://totp/Test%20app:philnash%40example.com?secret=ONSWG4TFOQ&algorithm=SHA1&period=30&digits=6&issuer=Test%20app
Base 32 secret
puts hotp.base32_secret # => ONSWG4TFOQ puts totp.base32_secret # => ONSWG4TFOQ
You can see and run these examples and more in
- [x] Basic HOTP and TOTP generation and verification
- [x] Rewrite
int_to_bytesand extract from
- [x] Verifying a token over a window of counters/time
- [x] Google Authenticator otpauth URI generation
- [x] Ability to choose algorithm (currently only sha1)
- [ ] Ability to choose size of period in TOTP
- [ ] Example application using Kemal
- [ ] Much more documentation
Running the project locally
First clone the project:
git clone https://github.com/philnash/crotp.git cd crotp
Run the tests with:
- Fork it ( https://github.com/philnash/crotp/fork )
- Create your feature branch (git checkout -b my-new-feature)
- Commit your changes (git commit -am 'Add some feature')
- Push to the branch (git push origin my-new-feature)
- Create a new Pull Request
This code is available as open source under the terms of the MIT License.
*Note that all licence references and agreements mentioned in the CrOTP README section above are relevant to that project's source code only.