How does a Two-Factor Authentication app generate the code?

Question

I am trying to replicate the functionality of Authy/Google Authenticator for a private application. What algorithm should I use to get the 6 or 8 digit 2fa-code from a known secret? Is there an open-source package for this?

Answer 1

In Python, it is unbelievably easy. Probably similar for other languages.

First, install the pyotp package via pip3. (or for Debian-based systems there is an apt package python3-pyotp)

Then, create a small program like this:

import pyotp
totp = pyotp.TOTP('{16 or 32 character secret}')
print(totp.now())

To fill in the secret, you need to go through the new app registration process for the system you are using, and tell it you can't scan the QR code it gives you. It will then display the secret, along with other info such as the account name which is irrelevant. Only the actual key, which will consist of a string of seemingly random characters, is what you need.

Once you have the key, substitute it into the above code, without the curly braces but WITH the quotes.

Then you can just run the program and it will print your time-based code. Note that the date/time has to be set on your computer for this to work.

Answer 2

These are generated using the Time-Based One-Time Password (TOTP) Algorithm. RFC at https://datatracker.ietf.org/doc/html/rfc6238. There are many packages available for this depending on your preferred programming language. (You can search for TOTP <your language> on google to find packages that do this)

Once you have the key, the OTP can be generated based on the current time.