Skip to content

Instantly share code, notes, and snippets.

@abstractj

abstractj/otp.js.md Secret

Last active December 16, 2015 14:58
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abstractj/d618faceee388a9d403a to your computer and use it in GitHub Desktop.
Save abstractj/d618faceee388a9d403a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
otp.js.md

AeroGear - OTP.js

This is a initial proposal on having a two factor authentication layer on JS applications.

Concerns

  • JavaScript has differente usage for OTP in relation to native apps, it tends to be tricky
  • QRCode is useless because we don't have access to native resources like camera.
  • We have to assume that our users will switch between pages (OTP page x Login page)
  • We can borrow ideas from the iOS workflow and adapt it to JS

Notes

  • For most of the scenarios, I'm assuming session storage to keep secrets.
  • To implement some workflows more dependencies must to be added like: SHA or BASE32 support

Scenarios

  1. Provide a page to support 30-second TOTP codes

  1. Make use of PIN/challenge

  1. Make use of captchas (meh)

  1. Make use of TOTP as a password-based key derivation, behind the scenes. (password + OTP)

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment