-
Notifications
You must be signed in to change notification settings - Fork 1
Handle "password" 2FA
Oleg Koretsky edited this page Oct 26, 2018
·
2 revisions
Usually 2FA request can be satisfied by direct submission of the one-time password (OTP) from an authenticator app, as for totp factor type, or from email letter, as for email factor type. But for password type OTP must be generated in a special way.
Once you got NeedTfaException with factor type PASSWORD in your TfaCallback implementation you have to use PasswordTfaOtpGenerator to create OTP from user's credentials:
val otpGenerator = PasswordTfaOtpGenerator()
val otp = otpGenerator.generate(tfaException, email, usersPassword)Under the hood PasswordTfaOtpGenerator does following:
- Gets key derivation salt and encrypted secret seed from given TFA exception
- Derives encryption key using user's credentials and the derivation salt
- Decrypts secret seed using derived key
- Initializes a keypair from decrypted secret seed
- Signs special token from TFA exception with the keypair
- Encodes signature with Base64 and returns it as a result
The seed used for signing was encrypted with user's password and submitted with related public key to the system during sign up process so the signature can be easily validated.
⛏ Distributed Lab, 2021