ThomasHabets
commented
10 years ago Migrated comments:
klyu...@google.com This is currently not supported on purpose, to reduce the attack surface. At the moment, we have no plans to add this feature.
Regarding your second question, it's not just a matter of duplicating the algorithms (it's pretty easy) -- you'll also need to obtain the secret key from which the codes are generated by the algorithm(s). Again, at the moment, Google Authenticator does not provide a way to obtain the secret key, nor is such a feature planned. Owner: klyu...@google.com
Dec 19, 2012 jelt...@motorola.com Ok, thanks for the fast reply! I did see this similar question now after scanning all the issues: https://code.google.com/p/google-authenticator/issues/detail?id=122
And I wasn't asking to get access to the secret key btw. Just to clarify, I'm wanting to use 2 part authentication on my own app so I will generate my own secret and use it on the two sides. GA has a pretty nice interface, so in the spirit of android, why not just use it like you would use any other tool like maps etc. But I can see the obvious security concerns over that as well. I just wondered if there was something I was missing.
What's the fastest route you think to implementing TOTP in my own app? Is it a "PAM"? On my server side, using perl Authen::OATH was super easy once you figure out who wants things base32 and who wants the raw string. :-) Dec 20, 2012 klyu...@google.com Looks like you got the server side covered already. I would suggest a quick read of RFC 6238 -- there isn't much to it. If you're interested in looking at some code from this project, then I'd suggest TotpCounter, OtpProvider, and AccountDb's getSigningOracle method.
Keep in mind that in most 2 part authentication methods, you have an issue of what to do when the 2nd factor is lost. Hopefully your app/protocol has this covered.
Dec 20, 2012 klyu...@google.com BTW, Google Authenticator supports multiple secret keys/accounts. So, if you only need to generate TOTP codes that your server will accept, and you'll be entering those codes manually yourself, then you could use Google Authenticator. Just enter the key/account using menu -> Set up account -> Manual entry or Scan barcode.
Dec 20, 2012 jelt...@motorola.com Thanks! I've cloned the code, and will start reviewing that and the RFC over the break here. As for the manual entry in GA, yes, I have used this and verified my server side worked right. My issue though is that I have an application that I want to use 2 part authentication under the hood. Similar to using 2 part auth with your google account, I don't want the user to have to enter a 6 digit number every use. They should just get the one time random secret that both sides know, and maybe xor in a 4 digit pin, and that result I want to use for authentication to the server.
Good point on the recover if you lose the random secret. I have printed out my backup codes for my google accounts already. :-) Dec 20, 2012 klyu...@google.com You should also consider adding your own Account Authenticator which will plug into android.accounts.AccountManager. This way users will be able to add your type of accounts to the phone, and apps (such as your app) will be able to get authentication tokens without having to deal with TOTP, passwords, and the likes.
Original issue 235 created by jeltoft@motorola.com on 2012-12-19T23:08:44.000Z:
Sorry if this was covered somewhere. I wasn't sure what exactly to search for.
I'm using GA on android (4.1.2) and I am writing an app. I was wondering if there is any way my app can query GA for the current TOTP? Or do I need to reimplement the whole algorithm in my app to generate the codes?
Thanks, Justin