Terence Eden’s Blog

Towards a test-suite for TOTP codes

@edent2fa CyberSecurity HTOP MFA Open Source totp · 2 comments · 1,250 words

Screenshot showing a QR code and numeric codes.

Because I'm a massive nerd, I actually try to read specification documents. As I've ranted ad nauseam about the current TOTP spec being irresponsibly obsolete. The three major implementations of the spec - Google, Apple, and Yubico - all subtly disagree on how it should be implemented. Every other MFA app has their own idiosyncratic variants. The official RFC is infuriatingly vague. That's no good for a security specification. Multiple implementations are great, multiple interpretations are…

Continue reading →

Using the Web Crypto API to Generate TOTP Codes in JavaScript Without 3rd Party Libraries

@edentCyberSecurity javascript totp · 2 comments · 750 words · read ~219 times.

A chunky wristwatch showing the time and a selection of 6 digit codes and their corresponding entities.

The Web Crypto API is, thankfully, nothing to do with scammy cryptocurrencies. Instead, it provides access to powerful cryptographic features which were previously only available in 3rd party tools. So, is it possible to build a TOTP code generator without using any external JS libraries? Yes! And it is (relatively) simple. Here's the code that I've written. It is slightly verbose and contains a lot of logging so you can see what it is doing. I've annotated it with links to the various…

Continue reading →