#Timeslice 4.6 code
All we need to do is call Verif圜ode() again with the shared secret we stored with the user and the entered code and we'll know if the user is legit or not. Now we can store the secret with our user in our database (or elsewhere) and whenever the user begins a new session, after logging in, we ask for a code generated by the authentication app of their choice. Ok, so now the code has been verified and found to be correct. All you need to do is, on successful login, make sure timeSlice is greater than the previously stored timeslice.
This value can be stored with the user and can be used to prevent replay-attacks. This value will be 0 when the code doesn't match and non-zero when the code matches. The third, timeSlice, is an out-argument the value returned in timeSlice is the value of the timeslice that matched the code (if any).
Unless specified TwoFactorAuth uses the current time. This argument has no real practical use but can be handy for unittesting etc. The second, dateTime or timestamp (depending on which overload you use), allows you to check a code for a specific point in time. A discrepancy of 4 would result in a larger window (or: bigger time difference between client and server) of -4, -3, -2, -1, current, +1, +2, +3 and +4 periods. The default discrepancy of 1 results in (max.) 3 period checks: -1, current and +1 period. The discrepancy argument specifies how many periods (or: timeslices) we check in either direction of the current time. Because generated codes are valid for a specific period (remember the period argument in the TwoFactorAuth's constructor?) we usually check the period directly before and the period directly after the current time when validating codes. But because the two may differ a bit we usually allow a certain amount of leeway. Since TOTP codes are based on time("slices") it is very important that the server (but also client) have a correct date/time. The Verif圜ode() accepts, aside from secret and code, two more arguments. You may need to store secret in a session or other persistent storage between requests. Verif圜ode() will return either true (the code was valid) or false (the code was invalid no points for you!). This makes it easy for you to display the image without requiring extra 'roundtrips' from browser to server and vice versa. What they all have in common is that they return a QR-code as binary blob which, in turn, will be turned into a data URI by the TwoFactorAuth class. Some provide support for different colors, others may let you specify the desired image-format etc. The built-in providers all have some provider-specific 'tweaks' you can 'apply'.
#Timeslice 4.6 how to
See HowTo: Implement your own QR Code provider on how to do this. You could, however, easily use any library to generate your QR-codes without depending on external sources. external) party (Google, QRServer and QRicket) for the hard work of generating QR-codes (note: each of these services might at some point not be available or impose limitations to the number of codes generated per day, hour etc.).
You can use the built-in providers mentioned before to serve as an example or read the next chapter in this file. To implement your own provider all you need to do is implement the IQrCodeProvider interface. use a 3rd party one or implement your own QR Code provider. To generate these QR codes you can use any one of the built-in QRProvider classes: Please enter the following secret in your app: XANIK3POC23RCRYNĪnother, more user-friendly, way to get the shared secret into the app is to generate a QR-code which can be scanned by the app. The latter is used to ensure that the secret is cryptographically secure if you don't care very much for cryptographically secure secrets you can specify AllowInsecure and use a non-cryptographically secure RNG provider. Google Authenticator seems happy with 80 and 160, the default is set to 80 because that's what most sites (that I know of) currently use however a value of 160 or higher is recommended (see RFC 4226 - Algorithm Requirements). Make sure this argument is a multiple of 8 and, again, keep in mind that not all combinations may be supported by all apps. The former is the number of bits generated for the shared secret. The CreateSecret() method accepts two arguments: bits (default: 80) and cryptoSecureRequirement (default: RequireSecure). Var tfa = new TwoFactorAuth ( "M圜ompany " ) // Though the default is an 80 bits secret (for backwards compatibility reasons) we // recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements) var secret = tfa.
0 kommentar(er)
