Comments (3)
@unrealwill As the author mentioned, the service provides the secret to you (as noted, mostly in the form of a QR code) because both (you and the service) need the same secret to generate the right codes based on the current time. You never get to choose, it is provided to you.
There is no security issue with his example usage because those codes are not attached to anyone's service. I could load his code into my Google Authenticator app on my Android phone and nothing would be harmed. I wouldn't be able to use that code for any account (google, dropbox, github, etc) because those services have different secrets that were generated at the time I set them up.
To use this for real, you need to provide the secret that your service gave you. But that being said I am pretty sure this is just sample code, not something that anyone should actually use because you have to keep your secret out in the open and provide it to the script every time you want to use it. In most production ready TOTP apps, the secret for each account is not visible after it is loaded, only the resultant time code is available.
Also there is nothing magical about 'Google Authenticator' it is just an application that uses a standard algorithm that happens to work with Google. It is not tied to your Google account directly and can be used for other services using the same TOTP algorithm.
from mintotp.
The secret key provided in this project is only for demo and testing purpose. Of course, it should not be used with any real account because anyone can copy this key and generate the same TOTPs as you do.
Usually, when we sign up for TOTP-based two factor authentication on any website, that website generates a secret-key, encodes it into a QR code, and asks us (the user) to scan the QR code with a software-based authenticator app such as Google Authenticator on our mobile phone. In this manner, the website and the authenticator app establish the same shared secret key and they can both generate the same TOTP values.
from mintotp.
Can you add a "step 0 : choose a secret" with a warning not to pick your default example ?
Because it seems like your project could be used to spearfish novice hackers.
I am not familiar with google authenticator but I was wondering how bad was it to follow your tutorial with a public secret :
if you manage to get convince someone with known email to follow the tutorial with the provided example, can you then use a google reset password (or pair your account with a brand new google authenticator app) and enter the verification code (you can compute) to steal the account ?
from mintotp.
Related Issues (9)
- The text comparing to OATH Toolkit is outdated HOT 1
- Hello! Ruby Version of this is also Available HOT 1
- module 'hmac' has no attribute 'digest' HOT 1
- Golang Clone HOT 1
- You have to convert this to ascii number HOT 2
- Digest should be a hash module HOT 1
- spaces in key raise Non-base32 digit found HOT 1
- output contains a new line HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mintotp.