-
-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TOTP verification returning always false #230
Comments
Hi, The verification script creates a TOTP object, but other parameters are not set. <?php
// sign_in.php
require_once __DIR__ . '/../vendor/autoload.php';
use OTPHP\InternalClock;
use OTPHP\TOTP;
$secret = 'JDDK4U6G3BJLEZ7Y';
$otp = TOTP::createFromSecret($secret, new InternalClock());
$otp->setPeriod(20);
$otp->setDigest('sha512');
$otp->setDigits(8);
$otp->setEpoch(100);
$verified = $otp->verify($argv[1], null, 5);
echo (int) $verified . PHP_EOL; But it can also come from a lack of support for custom parameters. |
Here is the elaboration of the example. At the moment I'm using FreeOTP to generate 9 digits passwords, and described below is a safe token with strong cryptographic parameters by Base32-encoding a 128 characters length password. <?php
// sign_up.php
require_once __DIR__ . '/../vendor/autoload.php';
use OTPHP\InternalClock;
use OTPHP\TOTP;
$secret = 'IZ2COUCZFZMGYVRPKURGGSL3GVPTGZLNGZFCE3BZGAWWWZJHH5WUGMSNNJEC2QROKNTVQYZVK57HEKKQFZEDQZB7FUYCQPZ5L44GAXTPOFTWSILLJJHFAYD6N5ESK7LYKJIGUL3HIR2HW5DFMVGWGRTGFB3CUUBJJR3E4QRXJ45VYYJVONGVAOK6KUZTYUK6IAVXGOT4JF7C2===';
$otp = TOTP::createFromSecret($secret, new InternalClock());
$otp->setDigits(9);
$otp->setLabel('preciseKoala');
$otp->setIssuer('ChesslaBlab');
$otp->setParameter('image', 'https://chesslablab.org/logo.png');
$grCodeUri = $otp->getQrCodeUri(
'https://api.qrserver.com/v1/create-qr-code/?data=[DATA]&size=300x300&ecc=M',
'[DATA]'
);
echo $grCodeUri . PHP_EOL; <?php
// sign_in.php
require_once __DIR__ . '/../vendor/autoload.php';
use OTPHP\InternalClock;
use OTPHP\TOTP;
$secret = 'IZ2COUCZFZMGYVRPKURGGSL3GVPTGZLNGZFCE3BZGAWWWZJHH5WUGMSNNJEC2QROKNTVQYZVK57HEKKQFZEDQZB7FUYCQPZ5L44GAXTPOFTWSILLJJHFAYD6N5ESK7LYKJIGUL3HIR2HW5DFMVGWGRTGFB3CUUBJJR3E4QRXJ45VYYJVONGVAOK6KUZTYUK6IAVXGOT4JF7C2===';
$otp = TOTP::createFromSecret($secret, new InternalClock());
$otp->setDigits(9);
$verified = $otp->verify($argv[1], null, 5);
echo (int) $verified . PHP_EOL; At the moment this is in my humble opinion easier to implement than WebAuthn. The added value is:
Maybe this basic passwordless authentication is just fine for some apps. Now preciseKoala can play chess with other users and see their results in the ranking. |
Description
Hi there,
I'm using the following sample script to simulate a user sign up.
So far so good. The generated
$grCodeUri
is then scanned with Authy which seems to be working okay in that Authy is generating the TOTP codes. However, I can't manage to verify any of the codes by Authy if using the script below.Could you please elaborate on this example?
Thanks for the help,
The text was updated successfully, but these errors were encountered: