Create One Time Password (OTP) For Your Applications Using FreeOTP

We typically protect our applications using an identifier (such as a username or email address), and a password. Most organisations have also started to use 2-Factor Authentication (2FA), where apart from a password, you will need to identify yourself through a 2nd medium (such as a password on your phone).

I will demonstrate how you can implement a One Time Password (OTP) based setup which you can use as a 2FA or a standalone setup.

The concept is quite easy to understand:

  1. We will use TOTP (Time based OTP)
  2. Create a Hex Value which will be a user’s key (such as a1b2c3d4e5)
  3. Generate a Base32 encoded version of the key
  4. Install an app FreeOTP in your phone and specify the total OTP digits (6 by default), and the step size in seconds (30 seconds)
  5. Feed in the user’s key, and the Base32 encoded version along with other identifiers such as email address for identification
  6. Now, whenever you use the FreeOTP, you will receive a number valid for 30 seconds (the step size / interval)
  7. Validate the number on the server through oathtool by specifying the digits, the step size, and the Hex Value. It will match.

Let’s get started.

Base Setup

Install oathtool on the server which will do the validation

apt-get install oathtool

Install FreeOTP on your mobile phone. It is a free app available on iOS and Android.

Create a Hex Key

The easiest way is

head -10 /dev/urandom | md5sum | cut -b 1-8

The above command will output an 8-digit Hex Value.

You can create more complicated keys through

head -10 /dev/urandom | md5sum | cut -b 1-30

You can also use a combination of 0-9 digits and a-f alphabets to create the key.

Get a base32 encoded version of the Hex Value

Run the following command

oathtool --totp --verbose YOUR_HEX_KEY

You will see among other items, a “Base32 secret“. Note that value as you will need it to feed into FreeOTP.

FreeOTP Configuration

  1. Enter the Issuer – it is for your reference. Can be an email or anything else.
  2. Enter the Hex Value as ID
  3. Enter the Base32 Value as Secret
  4. Interval is 30 Seconds by default
  5. Digits are 6 by default
  6. Algorithm is SHA1 by default

That’s all. Now save that information, and when you click on your entry, it will show you a number valid for 30 seconds.

OTP Setup using FreeOTP and oathtool


Validate it on the server

Use the command oathtool to validate it on the server

oathtool --totp YOUR_HEX_KEY

The above assumes that you’ve taken the step size (interval) as 30 and digits as 6. If you have done a different configuration, you can try out the following too by specifying the step size and digits explicitly.

oathtool --totp -s 30 -d 6 YOUR_HEX_KEY

(Replace 30 & 6 with your step size & digits respectively)

Next steps

  1. To manage users, you can integrate it with a user database where each user also has a randomly generated key associated with it. Create a QR code with all relevant information (Issuer, ID, Secret) so that FreeOTP can easily read it. Give it to the users to add information to their phones.
  2. At the server end, when you are authenticating a user, ask for a identifier (such as the email address or a username), and use the key associated with that identifier to generate an OTP using the oathtool command. If the one provided by the user matches with the one generated by your system, then you can authenticate the user.
  3. What if 30 seconds is too less and while the user is entering the information, the information changes? You can generate future OTPs by using the time window parameter (-w). You can also use a historical time using the current time parameter (-n). For example:
    oathtool --totp -w 5 -N "2017-08-16 22:46:00" 1a2b3c4d5e

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s