• Stars
    star
    2,085
  • Rank 22,148 (Top 0.5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created almost 10 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

TOTP library for Go

otp: One Time Password utilities Go / Golang

PkgGoDev Build Status

Why One Time Passwords?

One Time Passwords (OTPs) are an mechanism to improve security over passwords alone. When a Time-based OTP (TOTP) is stored on a user's phone, and combined with something the user knows (Password), you have an easy on-ramp to Multi-factor authentication without adding a dependency on a SMS provider. This Password and TOTP combination is used by many popular websites including Google, GitHub, Facebook, Salesforce and many others.

The otp library enables you to easily add TOTPs to your own application, increasing your user's security against mass-password breaches and malware.

Because TOTP is standardized and widely deployed, there are many mobile clients and software implementations.

otp Supports:

  • Generating QR Code images for easy user enrollment.
  • Time-based One-time Password Algorithm (TOTP) (RFC 6238): Time based OTP, the most commonly used method.
  • HMAC-based One-time Password Algorithm (HOTP) (RFC 4226): Counter based OTP, which TOTP is based upon.
  • Generation and Validation of codes for either algorithm.

Implementing TOTP in your application:

User Enrollment

For an example of a working enrollment work flow, GitHub has documented theirs, but the basics are:

  1. Generate new TOTP Key for a User. key,_ := totp.Generate(...).
  2. Display the Key's Secret and QR-Code for the User. key.Secret() and key.Image(...).
  3. Test that the user can successfully use their TOTP. totp.Validate(...).
  4. Store TOTP Secret for the User in your backend. key.Secret()
  5. Provide the user with "recovery codes". (See Recovery Codes bellow)

Code Generation

  • In either TOTP or HOTP cases, use the GenerateCode function and a counter or time.Time struct to generate a valid code compatible with most implementations.
  • For uncommon or custom settings, or to catch unlikely errors, use GenerateCodeCustom in either module.

Validation

  1. Prompt and validate User's password as normal.
  2. If the user has TOTP enabled, prompt for TOTP passcode.
  3. Retrieve the User's TOTP Secret from your backend.
  4. Validate the user's passcode. totp.Validate(...)

Recovery Codes

When a user loses access to their TOTP device, they would no longer have access to their account. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, this is a common problem. For this reason many providers give their users "backup codes" or "recovery codes". These are a set of one time use codes that can be used instead of the TOTP. These can simply be randomly generated strings that you store in your backend. Github's documentation provides an overview of the user experience.

Improvements, bugs, adding feature, etc:

Please open issues in Github for ideas, bugs, and general thoughts. Pull requests are of course preferred :)

License

otp is licensed under the Apache License, Version 2.0

More Repositories

1

ffjson

faster JSON serialization for Go
Go
2,939
star
2

spedye

C
153
star
3

cachecontrol

Golang HTTP Cache-Control Parser and Interpretation
Go
135
star
4

node-logmagic

Lighweight Logging Module for Node.js
JavaScript
80
star
5

node-extension-examples

Examples of writing node.js extensions
C++
78
star
6

selene

A SSL/TLS library
C
74
star
7

ndislocate

A distributed service locator, written on top of Node.js
JavaScript
62
star
8

node-examples

A set of example scripts/servers in Node.js
JavaScript
49
star
9

distsync

[status: prototype] Get files on my servers. Quickly.
Go
23
star
10

termchalk

termchalk: terminal chalkboard utilities for golang
Go
22
star
11

dpop

Go library for DPoP (OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer)
Go
20
star
12

node-archive

Node.JS Bindings to libarchive
C++
19
star
13

protoc-gen-dynamo

Go
17
star
14

hurl

hurl: hurt a url.
Go
15
star
15

tls-client-hello-stats

Tools to analyze SSL/TLS Client hellos from a packet capture.
Python
14
star
16

ctail

Shell
13
star
17

ckl

Cloudkick Changelog Tool
Shell
10
star
18

bigcass

Cassandra Benchmarking Tools
Python
8
star
19

mod_authn_yubikey

C
8
star
20

ccb

cassandra cloud benchmark
Python
7
star
21

darwintest

HTML
7
star
22

reveal.js-plugin-externalcode

Reveal.js plugin to load Code from external files
JavaScript
6
star
23

node-blanket

JavaScript
4
star
24

protoc-gen-authz

Go
4
star
25

nacl-cryptopp

C++
4
star
26

terribledb

This was a terrible idea
JavaScript
3
star
27

streamplay

streamplay
Go
3
star
28

slides-logs-as-event-streams

JavaScript
3
star
29

qmq

3
star
30

node-xar

Node.js implementation of the XAR file format: http://code.google.com/p/xar/
2
star
31

fastest

this is silly
C
2
star
32

tacua

an experiment in metamorphosis
2
star
33

check_temp

C
2
star
34

trafficserver

C++
2
star
35

qnad

quick network application daemon
2
star
36

redis-slammer

JavaScript
2
star
37

slides-code-reviews

JavaScript
2
star
38

dislocate

A distributed service locator
2
star
39

xjwt

Go library of small extensions for working with JWTs
Go
2
star
40

cassandra

Java
2
star
41

docker-google-auth-proxy

1
star
42

utc.tv

CSS
1
star
43

elderberry

1
star
44

go-keystone-client

Go
1
star
45

megabug-shirts

Parodies of major internet bugs
1
star
46

poc-dsa-verify-CVE-2019-17596

Demonstration of Go's dsa.Verify bug (CVE-2019-17596)
Go
1
star