search

Spomky-Labs / otphp

:closed_lock_with_key: A PHP library for generating one time passwords according to RFC 4226 (HOTP) and the RFC 6238 (TOTP)
MIT License
1.31k stars 150 forks source link

TOTP code almost always verifies false #194

Closed xtremevision closed 1 year ago

xtremevision commented 1 year ago

Version(s) affected

11.2.0

Description

I don't think it's a bug, more than likely I am doing something wrong, but for the life of me I don't see what is wrong. Whenever I verify an otp code, a couple of seconds after it was generated and received by email, it verifies as false. I don't understand why it's not working.

How to reproduce

TOTP method

  1. Generate secret
  2. Store secret in db (pgsql, varchar 255)
  3. On login generate code using secret fetched from db.
  4. Send code by email.
  5. Go to page for verification. Verify inputted code against stored secret.

Verification always returns false.

Possible Solution

No response

Additional Context

Using CentOS 7, CodeIgniter 4, Apache, PHP 8.1 and Postgresql 9.5.

xtremevision commented 1 year ago

Ok, I think I got it now. Most likely the secret and setting the period were off. However, I have another problem. How do I make sure I a new totp code is generated with precisely 30s, on user request?

xtremevision commented 1 year ago

Ignore my question. I just realized I misunderstood compleletly the usage of this library.

Spomky commented 1 year ago

Hi,

Indeed TOTP is not suitable for this use case. You should use HOTP instead or directly a random string with an expiration date you will remove once used.