Reputation: 3405
Is there a Google authenticator API
I am trying to create a web app that is using a two-factor authenticator using the google authenticator, so my question is, is there an api for google authenticator?
Upvotes: 32
Views: 66829
Answers (4)
Reputation: 988
For anyone still trying to find out if there's an API for Google Authentication.
2FA with Google Authenticator is based on open-source TOTP rfc6238 You can implement it yourself without any Google APIs.
Your app only needs to send a code (that is a long URL) to the Google Authenticator app when a user is setting up TOTP on the app. It is this code that's sent via QR Code (No API calls involved).
You can find a more detailed answer https://stackoverflow.com/a/78943929/3475551
Upvotes: -1
Reputation: 3
This one is not free (freemium!)
- Generate a "secret" code on behalf of your user:
import http.client
conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")
headers = {
'X-RapidAPI-Key': "KEY_GOES_HERE",
'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}
conn.request("POST", "/new_v2/", headers=headers)
res = conn.getresponse()
data = res.read()
Server will return you a secret code (e.g. IH225HMVWDS3XJVY). Keep it.
- Generate QR codes for your users:
import http.client
conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")
payload = "secret=IH225HMVWDS3XJVY&account=User1&issuer=HomeCorp"
headers = {
'content-type': "application/x-www-form-urlencoded",
'X-RapidAPI-Key': "KEY_GOES_HERE",
'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}
conn.request("POST", "/enroll/", payload, headers)
res = conn.getresponse()
data = res.read()
Server will return an url. Pull its PNG data and you get a QR code. Scan it with Google Authenticator app and you'll see TOTPs being generated every 30 seconds.
- Now validate TOTPs:
import http.client
conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")
payload = "secret=IH225HMVWDS3XJVY&code=425079"
headers = {
'content-type': "application/x-www-form-urlencoded",
'X-RapidAPI-Key': "KEY_GOES_HERE",
'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}
conn.request("POST", "/validate/", payload, headers)
res = conn.getresponse()
data = res.read()
Thats in Python (http.client lib), but the platform (RapidAPI) generates code snippets in most popular programming languages/libs like Java, PHP and others - quite handy
Upvotes: 0
Reputation: 6914
Worth mentioning that this npm package - otp lib, contains a decent implementation + it has a very nice demo website
With lots of weakly downloads and very clear documentation, I say it's a great place to start. In a nutshell:
- Generate a QR code for the user. This is required only for the first time (sign up)
- Ask your user to enter one-time token (from the user's auth application)
- Verify the token
So.. first step should be handled in server-side (to properly manage secret)
import qrcode from 'qrcode';
import { authenticator } from '@otplib/preset-default';
const user = 'A user name, possibly an email';
const service = 'A service name';
const secret = authenticator.generateSecret();
const otpauth = authenticator.keyuri(user, service, secret);
qrcode.toDataURL(otpauth, (err, imageUrl) => {
if (err) {
console.log('Error with QR');
return;
}
// send `imageUrl` variable content to your client
});
On your app, you may generate the QR code using the same library
QRCode.toCanvas(canvas, imageUrl, function (error) {
if (error)
console.error(error);
else
console.log('success!');
});
The second phase is to actually build an input in your sign in page (to fetch token) and probably send it over to your backend again.
And the third part would be as simple as this:
const isValid = totp.check(token, secret);
Upvotes: 5
Reputation: 45135
The Google Authenticator app is simply an implementation of the Time-based One-time Passwords spec. See RFC 6238.
The algo takes the system time and a secret key to generate a token. The QR code communicates the secret key entropy and a helpful label for which service it's for, in a simple way to the end user.
The QR code is just a URL scheme which can be looked up. Do not use an online QR code generator, for hopefully obvious reasons.
It's best to use the above to read up on how you can implement this yourself, since no one on a QA site can recommend an API or SDK.
Trust no one.
Upvotes: 12
Related Questions
- Google Authenticator available as a public service?
- How do I integrate google authenticator in my app(nodeJS)?
- Does the Google API support the 2-Step Verification process?
- GoogleApiClient for Google Login
- 2FA Authentication with google Authenticator
- Google Authenticator my Android app
- Google authentication javascript
- Using Google Authenticator in a non-google android application
- Is there an official way to authenticate for Google Data API on Android using AccountManager accounts?
- Google authentication