Open lvcasgm opened 6 years ago
You need to store the totp token in your backend. And then validate against it next time.
For my small "proof of concept" app, once I have presented the QR code to the user, I store the token in my DB - first I call the ToBytes
method to serialize the token, and then I base64 encode it, before saving it. At a later stage I will add encryption of the token in the DB.
Then, when the user logs in, I grab the token string from the db, base64 decode it, and then run TOTPFromBytes
to generate the totp object. So I have the object, and have captured the 6/7/8 digit code from a text box. I then call the Validate
method on the token, passing in the user-submitted code, which will either generate a nil response or an error.
Note that the token is stateful. I save it back to the DB every time I call Validate
, as it tracks the last attempted validation, the number of failed validations and any time drift in the client.
Hope that helps
Excuse my dumb question, I've managed to implement a very basic authentication program in which I generate a QR code, which I scan with Google Authenticator and verify the code correctly. My question is, once I've scanned the QR code once and I have added my new go application to my 2FA app, do I need to regenerate, scan the QR code and re-add it to my 2FA app? How can I just ask the user to enter the new code generated by his/her 2FA app and check it?
Thanks for your help!