Reputation: 117
How to verify the generated OTP using TOTP algorithm
We have generated the OTP using Totp algorithm and it would be live for short time. Can you please tell me how to verify generated OTP with user entered otp. Is there any method for compare those or need to store the password somewhere and validate with the entered otp.
Please suggest me which way is best for verifying the OTP that generated using Totp algorithm.
Thanks
Upvotes: 0
Views: 2637
Answers (2)
Reputation: 1
The technique is to use the same seed data and encoding method that the app/hardware token used to generate the OTP code, then compare this against the supplied code. It is then up to you if you check either side of the current time window to allow for a degree time drift between the server and the users app/device.
Upvotes: 0
Reputation: 73029
To verify the token you need to generate the OTP yourself on the server side and do a constant time string equality comparison between it and the user provided OTP.
You may need to generate some older tokens to check too, in case the user entered a token but the time period passed before you could check. You should probably limit how old a token can be, but it's up to you to decide how old you deem a token to still be valid.
Upvotes: 3
Related Questions
- Otp verification in react native
- OTP code generation and validation with otp.net
- How do I ensure the users secret key for TOTP is valid?
- why my code doesn't generate the same OTP like google authenticator?
- TOTP authentication of the OTP received in my mail
- OTP-only authentication
- TOTP creating using bash and HMAC
- TOTP defaults and extensibility
- How do I generate One time passwords (OTP / HOTP)?
- How can you generate OTP with system.security.cryptography that can be authenticated on client?