One Time Pass-code generator, symantec vip-access compatible, any device
[RFC-6238, TOTP, 30sec, 6 digits, SHA1, aka Google Authenticator]
This is a javascript based RFC-6238 compatible One Time Pass-code generator (OTP generator). It uses a SHA-1 Hashed Message Authentication Code (HMAC) with a time based counter and an expiry interval of 30sec.
The Time-Based OTP algorithm is compatible with VeriSign, Symantec, Google and others.
The implementation is device independent and can therefore
be used across different platforms, including older mobile phones, which are no longer supported by current app-store apps.
All code runs only locally in your browser and none of the data is sent over the network.
To use this OTP generator you will need a base-32 encoded secret. How to obtain
this secret in case of Symantec VIP-Access or Google is described further down.
Please turn on JavaScript!
Usage: Google Authenticator
Google Authenticator provides the secret code via a QR-code image. If you run linux then
you can decode the QR-code by taking a screen-shot and processing it
with zbarimg (part of zbar-tools package). The code after "secret=" is the base-32 encoded secret.
Usage: Symantec VIP-access
Symantec VIP-access uses a rest-API to provision the token generator.
A credential-ID and the corresponding secret code is obtained during
the provisioning phase. This happens normally during the installation
of e.g the Symantec VIP-access mobile phone app.
To use the above OTP generator instead of the official Symantec VIP-access
app you will need two strings: base-32 encoded secret and credential-ID.
The easiest way to get both is to install python-vipaccess (https://github.com/dlenski/python-vipaccess) and run
vipaccess provision -t SYMZ
The above command provisions a new OTP token generator and generates the file $HOME/.vipaccess.
This .vipaccess file contains all the data you need (credential-ID to register the new token
with Symantec and the base-32 encoded secret which you need for this javascript
based OTP generator).
What are One Time Passwords (OTP)?
One time passwords are an authentication method based on shared secrets but
the actual secret is not sent over the network. Instead a time limited pass-code
is derived from the shared secret and that pass-code is used during
authentication. This prevents an attacker who was able to
listen-in on the network connection from successfully re-playing the data.
This particular TOTP algorithm produces tokens that expire after
30 seconds. To work reliably the device running this javascript implementation
of must have accurate time or almost accurate time and should at most by off by a few seconds. UTC (greenwich mean time) is used by this algorithm. If you notice that pass-code tokens do sometimes not work then check the time. The above
application displays the current UTC time as seen by your web-browser.
Alternate TOTO generator applications
The implementation provided by this OTP generator is equivalent to the
linux command:
oathtool -d6 --base32 --totp -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
or simply:
oathtool --base32 --totp -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Where "AAA..." is the base-32 encoded secret (dummy secret, replace with your real secret).
Just this TOTP application
References
Written by Guido Socher, MIT license
version info: 2018-05-25 -- first version, 2018-06-08 -- editorial updates, 2018-06-10 added google authenticator