0

I'm working on a 2FA App.
Is there a way for me the secret key a user provides that I use to generate their tokens is valid beforehand?

Edit:
For clarification: I am not providing the login server, but the token generation for the user (think authy or google authenticator)

Jujinko
  • 319
  • 3
  • 21

3 Answers3

1

You need to store the generated key somewhere, in memory or in a database. Then when the secret key is sent back, check it with the stored value.

Floxx
  • 31
  • 5
  • when and by whom is the secret key sent back? – Jujinko Aug 29 '19 at 12:02
  • I'm not sure if I understand your question then. The user logs in that is the first step of your authentication, you send an email or text message to the user with your otp, they send you the otp back. That is the workflow for 2FA. – Floxx Aug 29 '19 at 14:01
  • I am not providing the login server, but the token generation (think authy or google authenticator). To generate those tokens, the user gives me their secret. I wont to ensure the secret is actually valid before i create tokens for them to use with their service. – Jujinko Aug 29 '19 at 14:06
  • What do you consider valid or invalid? There is no format to the seed value. What problem are you trying to actually solve? – Joe Oct 06 '19 at 02:34
1

The only way to validate that the secret is correct is to generate a token and submit it to the service that generated and stored the secret for the user. If the service agrees that the token is correct, then you have the correct secret.

philnash
  • 70,667
  • 10
  • 60
  • 88
0

If someone is still searching for this today I searched around little and got to an answer

The following format is a valid totp qrcode :

otpauth://totp/{CompanyName}:{Email}?secret={Secret}&issuer={CompanyName}
  • Email: dosen't need to really be an email, just a client name "name" or "name@email.com"
  • CompanyName: companyname can be in format like "example.com" or "example"
  • Secret: needs to be a base32 formated string

You can read more about it at : https://datatracker.ietf.org/doc/html/rfc6238#section-4

Makusium
  • 201
  • 1
  • 2
  • 15