opb
commented
6 years ago You need to store the totp token in your backend. And then validate against it next time.
For my small "proof of concept" app, once I have presented the QR code to the user, I store the token in my DB - first I call the ToBytes method to serialize the token, and then I base64 encode it, before saving it. At a later stage I will add encryption of the token in the DB.
Then, when the user logs in, I grab the token string from the db, base64 decode it, and then run TOTPFromBytes to generate the totp object. So I have the object, and have captured the 6/7/8 digit code from a text box. I then call the Validate method on the token, passing in the user-submitted code, which will either generate a nil response or an error.
Note that the token is stateful. I save it back to the DB every time I call Validate, as it tracks the last attempted validation, the number of failed validations and any time drift in the client.
Hope that helps
Excuse my dumb question, I've managed to implement a very basic authentication program in which I generate a QR code, which I scan with Google Authenticator and verify the code correctly. My question is, once I've scanned the QR code once and I have added my new go application to my 2FA app, do I need to regenerate, scan the QR code and re-add it to my 2FA app? How can I just ask the user to enter the new code generated by his/her 2FA app and check it?
Thanks for your help!