I am trying to use one-time passwords that can be generated using Google Authenticator application.
What Google Authenticator does
Basically, Google Authenticator implements two types of passwords:
- HOTP – HMAC-based One-Time Password, which means the password is changed with each call, in compliance to RFC4226, and
- TOTP – Time-based One-Time Password, which changes for every 30-seconds period (as far as I know).
Google Authenticator is also available as Open Source here: code.google.com/p/google-authenticator
Current code
I was looking for existing solutions to generate HOTP and TOTP passwords, but did not find much. The code I have is the following snippet responsible for generating HOTP:
import hmac, base64, struct, hashlib, time
def get_token(secret, digest_mode=hashlib.sha1, intervals_no=None):
if intervals_no == None:
intervals_no = int(time.time()) // 30
key = base64.b32decode(secret)
msg = struct.pack(">Q", intervals_no)
h = hmac.new(key, msg, digest_mode).digest()
o = ord(h[19]) & 15
h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
return h
The problem I am facing is that the password I generate using the above code is not the same as generated using Google Authenticator app for Android. Even though I tried multiple intervals_no values (exactly first 10000, beginning with intervals_no = 0), with secret being equal to key provided within the GA app.
Questions I have
My questions are:
- What am I doing wrong?
- How can I generate HOTP and/or TOTP in Python?
- Are there any existing Python libraries for this?
To sum up: please give me any clues that will help me implement Google Authenticator authentication within my Python code.
I wanted to set a bounty on my question, but I have succeeded in creating solution. My problem seemed to be connected with incorrect value of
secretkey (it must be correct parameter forbase64.b32decode()function).Below I post full working solution with explanation on how to use it.
Code
The following code is enough. I have also uploaded it to GitHub as separate module called onetimepass (available here: https://github.com/tadeck/onetimepass).
It has two functions:
get_hotp_token()generates one-time token (that should invalidate after single use),get_totp_token()generates token based on time (changed in 30-second intervals),Parameters
When it comes to parameters:
secretis a secret value known to server (the above script) and client (Google Authenticator, by providing it as password within application),intervals_nois the number incremeneted after each generation of the token (this should be probably resolved on the server by checking some finite number of integers after last successful one checked in the past)How to use it
secret(it must be correct parameter forbase64.b32decode()) – preferably 16-char (no=signs), as it surely worked for both script and Google Authenticator.get_hotp_token()if you want one-time passwords invalidated after each use. In Google Authenticator this type of passwords i mentioned as based on the counter. For checking it on the server you will need to check several values ofintervals_no(as you have no quarantee that user did not generate the pass between the requests for some reason), but not less than the last workingintervals_novalue (thus you should probably store it somewhere).get_totp_token(), if you want a token working in 30-second intervals. You have to make sure both systems have correct time set (meaning that they both generate the same Unix timestamp in any given moment in time).Example
When using the following code for one-time HMAC-based password:
you will get the following result:
which is corresponding to the tokens generated by the Google Authenticator app (except if shorter than 6 signs, app adds zeros to the beginning to reach a length of 6 chars).