**NOT MAINTAINED** Two-factor authentication for Node.js. One-time passcode generator (HOTP/TOTP) with support for Google Authenticator.
2.68k
stars
229
forks
source link
Base32 secrets with a length not a multiple of 8 may produce incorrect codes #135
Open
tommilligan opened 3 years ago
Due to an underlying bad base32 implementation (https://github.com/speakeasyjs/base32.js/issues/4), base32 encoded secrets that are not of length 8, 16, 24, 32 etc. may produce invalid codes.
This behaviour depends on the value of the secret itself. For a comparison with Python's
pyotp
libaray, see these examples: https://github.com/pyauth/pyotp/issues/115This may be the underlying cause of the following issues:
Example: an incorrect code is generated for the secret
S46SQCPPTCNPROMHWYBDCTBZXV
(length 26).The python
pyotp
library produces a different value for the same inputs.