Stories with Tag MFA

• Behind the 6-digit code: Building HOTP and TOTP from scratch

  permalink

  Posted: 2025-04-11 13:06:17

  Verbose tl;dr

  This blog post explains how one-time passwords (OTPs), specifically HOTP and TOTP, work. It breaks down the process of generating these codes, starting with a shared secret key and a counter (HOTP) or timestamp (TOTP). This input is then used with the HMAC-SHA1 algorithm to create a hash. The post details how a specific portion of the hash is extracted and truncated to produce the final 6-digit OTP. It clarifies the difference between HOTP, which uses a counter and requires manual synchronization if skipped, and TOTP, which uses time and allows for a small window of desynchronization. The post also briefly discusses the security benefits of OTPs and why they are effective against certain types of attacks.

  The blog post "Behind the 6-digit code: Building HOTP and TOTP from scratch" by Doğacan Güney explores the inner workings of one-time passwords (OTPs), specifically focusing on the two prominent algorithms: HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP). The author aims to demystify these algorithms by breaking down their implementation step-by-step, ultimately demonstrating how to generate OTPs from scratch.

  The journey begins with an introduction to the concept of two-factor authentication (2FA) and the role OTPs play in enhancing security. The post emphasizes the limitations of static passwords and highlights the benefits of OTPs in mitigating risks associated with phishing and password reuse. It then delves into the specifics of HOTP, explaining that it's an event-based algorithm where each OTP is generated based on a counter. This counter, shared between the client and server, increments with each OTP usage. The core of HOTP lies in the use of a cryptographic hash function, HMAC (Hash-based Message Authentication Code), combined with a shared secret key. The post provides a detailed explanation of how HMAC works, including its reliance on a cryptographic hash function like SHA-1, SHA-256, or SHA-512, and how it ensures the integrity and authenticity of the generated OTP. The output of the HMAC is then truncated using a dynamic truncation algorithm to produce a shorter, user-friendly numeric code. This process, including the selection of specific digits from the hash output, is meticulously described.

  Next, the post transitions to TOTP, explaining that it's a time-based variant of HOTP. Instead of a counter, TOTP utilizes the current time, divided into fixed-length time intervals (usually 30 seconds), as the input to the HMAC algorithm. This time-based approach eliminates the need for strict synchronization between the client and server regarding the counter value. However, it introduces a potential vulnerability related to clock drift. To address this, the post explains how a time window is used to allow for a small discrepancy between the client's and server's clocks, accepting OTPs generated within a range of time intervals.

  The post further clarifies the concept of the shared secret key, explaining that it is crucial for the security of both HOTP and TOTP. This key, shared between the client and server, must be kept confidential and is used as input to the HMAC function. The post also touches on different encoding methods for the secret key, such as base32, which is commonly used for its human-readability and resistance to errors during manual entry.

  Finally, the post concludes by reiterating the importance of OTPs in modern security practices, highlighting the advantages they offer over static passwords. It emphasizes the relative simplicity of the underlying algorithms and the practical benefits of implementing 2FA using HOTP and TOTP. The detailed explanations and step-by-step breakdown provided in the post aim to equip readers with a deeper understanding of how these algorithms work and how they contribute to enhancing online security.

  • HOTP
  • TOTP
  • One-Time Passwords
  • OTP
  • 2FA
  • Two-Factor Authentication
  • MFA
  • Multi-Factor Authentication
  • Security
  • Authentication
  • Algorithm
  • Cryptography
  • Software Development
  • coding
  • programming
  • RFC 4226
  • RFC 6238
  • Time-Based One-Time Password
  • HMAC-Based One-Time Password

  Summary of Comments ( 56 )
  https://news.ycombinator.com/item?id=43653322

  Verbose tl;dr

  HN users generally praised the article for its clear explanation of HOTP and TOTP, breaking down complex concepts into understandable parts. Several appreciated the focus on building the algorithms from the ground up, rather than just using libraries. Some pointed out potential security risks, such as replay attacks and the importance of secure time synchronization. One commenter suggested exploring WebAuthn as a more secure alternative, while another offered a link to a Python implementation of the algorithms. A few discussed the practicality of different hashing algorithms and the history of OTP generation methods. Several users also appreciated the interactive code examples and the overall clean presentation of the article.

  The Hacker News post titled "Behind the 6-digit code: Building HOTP and TOTP from scratch" has generated several comments discussing various aspects of one-time passwords (OTPs).

  Some users delve into the technical details. One comment explains the importance of the counter value in HOTP (HMAC-based One-Time Password algorithm), highlighting how discrepancies between the server's and client's counter can lead to synchronization issues and failed logins. They suggest potential solutions like resynchronization mechanisms where the server accepts a range of OTPs or the use of TOTP (Time-based One-Time Password algorithm) which relies on time synchronization instead of counters.

  Another user questions the necessity of implementing OTP generation from scratch, arguing that existing libraries are generally robust and well-tested. They express concern about potential security vulnerabilities if the implementation isn't carefully vetted. This spurs a discussion about the educational value of building such systems from scratch, with proponents highlighting the deeper understanding gained through the process. This understanding is contrasted with the potential dangers of blindly relying on libraries without comprehending their inner workings.

  The discussion also touches on practical considerations. One comment emphasizes the crucial role of proper secret key management, highlighting the risks associated with weak keys. Another user discusses the usability aspects of OTPs, mentioning potential accessibility challenges for users with certain disabilities. The comment suggests alternative authentication methods might be necessary in such cases to ensure inclusivity.

  Finally, some users share their personal experiences and preferences regarding different OTP methods. Some prefer authenticator apps while others express skepticism due to the potential inconvenience of losing access to their devices. The conversation around alternative authentication schemes also covers push notifications, SMS-based OTPs, and WebAuthn, briefly touching upon their respective security and usability trade-offs. A recurring theme in these discussions is the importance of striking a balance between security and user experience when choosing an authentication mechanism.

• Dual-Link QR Code Generator

  permalink

  Posted: 2025-01-25 20:28:18

  Verbose tl;dr

  DualQRCode.com offers a free online tool to create dual QR codes. These codes seamlessly embed a smaller QR code within a larger one, allowing for two distinct links to be accessed from a single image. The user provides two URLs, customizes the inner and outer QR code colors, and downloads the resulting combined code. This can be useful for scenarios like sharing a primary link with a secondary link for feedback, donations, or further information.

  The website "DualQRCode.com" presents a novel approach to QR code generation, offering the creation of "dual-linked" QR codes. These specialized codes function as gateways to two distinct destinations depending on the scanning device's operating system. Specifically, users input two separate URLs—one designated for Android devices and another for iOS (Apple) devices. Upon scanning, the embedded logic within the generated QR code automatically redirects the user to the appropriate URL based on whether they are using an Android phone or an iPhone/iPad. This dynamic redirection eliminates the need for creating and managing separate QR codes for each platform, simplifying the process for users who wish to direct traffic from a single QR code to different content or experiences tailored to the respective operating systems. The website itself is straightforward and user-friendly, requiring only the input of the two desired URLs into designated fields. Once submitted, the dual-linked QR code is generated and displayed on the screen, ready for download or integration into other materials. This service facilitates a more streamlined approach to cross-platform mobile engagement via QR codes, offering a singular access point that intelligently navigates users to the correct destination based on their device's operating system. The underlying technology leverages the user-agent string provided by the scanning device to identify the operating system and execute the appropriate redirection seamlessly. This provides a convenient solution for marketers, developers, and anyone seeking to optimize the user experience by delivering platform-specific content through a single, unified QR code.

  • QR Code
  • Dual QR Code
  • QR Code Generator
  • Two-Factor Authentication
  • 2FA
  • Authentication
  • Security
  • Online Security
  • Data Security
  • privacy
  • QRCode
  • Generator
  • Dual-Link
  • Multi-Factor Authentication
  • MFA
  • Software
  • web application
  • online tool

  Summary of Comments ( 1 )
  https://news.ycombinator.com/item?id=42824553

  Verbose tl;dr

  Hacker News users discussed the practicality and security implications of dual QR codes. Some questioned the real-world use cases, suggesting existing methods like shortened URLs or link-in-bio services are sufficient. Others raised security concerns, highlighting the potential for one QR code to be swapped with a malicious link while the other remains legitimate, thereby deceiving users. The technical implementation was also debated, with commenters discussing the potential for encoding information across both codes for redundancy or error correction, and the challenges of displaying two codes clearly on physical media. Several commenters suggested alternative approaches, such as using a single QR code that redirects to a page containing multiple links, or leveraging NFC technology. The overall sentiment leaned towards skepticism about the necessity and security of the dual QR code approach.

  The Hacker News post for "Dual-Link QR Code Generator" (https://news.ycombinator.com/item?id=42824553) has several comments discussing the utility and security implications of the tool.

  One commenter highlights the potential for abuse, suggesting that shortened URLs within the QR code could mask malicious links. They emphasize the importance of verifying the destination before clicking, mirroring the general caution surrounding shortened URLs. This concern is echoed by another commenter who points out that the dual QR code approach doesn't inherently address the underlying security issue of trusting shortened links. They argue that a single, verifiable QR code directly encoding the final destination is a more secure solution.

  The practicality of the tool is questioned by a commenter who suggests it's simpler to just use a URL shortener and embed the shortened URL in a single QR code. This comment sparks a discussion about the specific use case presented by the tool's creator, which involves bypassing URL blocking in certain environments. The creator explains that the primary link is often blocked, necessitating a backup link accessible through a different domain. The dual QR code approach allows both links to be readily available.

  This explanation leads to a discussion about alternative solutions to URL blocking, including using VPNs or different network configurations. One commenter suggests that if the primary link is frequently blocked, it might be a sign of a larger problem that requires a more robust solution than a dual QR code.

  The technical implementation of decoding both URLs simultaneously is also discussed. A commenter inquires about how the decoder differentiates between the two QR codes and the creator explains that they are visually distinct, allowing a properly designed decoder to recognize and decode both.

  Finally, there's a brief discussion about the visual design and whether the dual QR code is aesthetically pleasing. One commenter expresses a dislike for the design, while another suggests improvements to enhance its visual appeal.

  Overall, the comments express a mixed reaction to the dual QR code generator. While some see a potential use case for bypassing URL blocks, others remain skeptical about its practicality and security benefits, suggesting alternative solutions might be more appropriate. The discussion also touches upon the technical implementation and visual design of the tool.