Java implements two-factor authentication for OTP dynamic password

foreword

Two-factor authentication (English: Two-factor authentication, abbreviated as 2FA), also translated as two-factor authentication, two-factor authentication, two-factor authentication, also known as two-step verification (2-Step Verification, also translated as two-step verification), is a kind of Authentication method.

Principle
The generation method of dynamic password mainly uses the time difference as the synchronization condition between the server and the password generator. When you need to log in, the password generator is used to generate a dynamic password. OTP is generally divided into two types: time-use and time-use. After the time-use OTP is produced, it can be used for an unlimited time; the time-use OTP You can set the valid time of the password, ranging from 30 seconds to two minutes, and the OTP will be discarded after authentication, and a new password must be used for the next authentication, which increases the difficulty of trying to access restricted resources without authorization.

TOTP Technical Standard
https://datatracker.ietf.org/doc/html/rfc6238

Related technical documents

Use OTP dynamic password (changes every minute) for login authentication

Quickly generate QR code using Google API

---

String format for OTP scan

Format:

otpauth://totp/账号?secret=秘钥

Example:

otpauth://totp/花伤情犹在?secret=RR7VFLUFFJPJ4FYFS66REZG6FROEI55M

Tokens can be added manually by entering the account and key

Use 阿里云身份宝or Google Authenticatortime synchronization to achieve OTP dynamic password

Or generate a QR code from the OTP string

Forage QR code generator: https://cli.im/

Tokens can be added by manually entering an account and secret key or by scanning a QR code

Generate QR code with Google API

This project is to use Google APIthe generated QR code

Link parameter details:

1. https://chart.googleapis.com/chart?This is the head of the Google Chart API, just copy it directly~
2. &cht=qrThis means that the chart type is qr, which is a two-dimensional code.
3. &chs=200×200This means that the size of the generated image is 200×200, which is width x height. This is not the real size of the generated image, it should be the maximum size.
4. &choe=UTF-8This means that the encoding format of the content is UTF-8, and this value defaults to UTF-8. For other encoding formats, please refer to the Google API documentation.
5. &chld=L|4 LRepresents the default error correction level; 4 represents the margin size of the QR code, which can be adjusted by yourself. For specific parameters, please refer to the Google API documentation.
6. &chl=XXXXThis is the QR content, which is the information you see after decoding. Please use UTF-8 encoding Chinese characters when including Chinese, otherwise there will be problems.

j256 open source two-step verification

2-step verification

<dependency>
    <groupId>com.j256.two-factor-auth</groupId>
    <artifactId>two-factor-auth</artifactId>
    <version>1.3</version>
</dependency>

Github address

2-step verification Java code

Two-step authentication (2FA) Java code that uses a time-based one-time password (TOTP) algorithm. You can use this code with the Google Authenticator mobile app or the Authy mobile or browser app.

• See the Wikipedia page on TOTP
• Code available from git repository
• Maven packages are published by

generate key

1. Used to generateBase32Secret() to generate a secret in base-32 format for the user. For example: "NY4A5CPJZ46LXZCP"
2. Store the key in the database associated with the user account.
3. Displays the QR code image URL returned by qrImageUrl(…) to the user.

The user loads the key into his authenticator app using the image.

verification key

1. The user enters the number from the authenticator application into a login form on the web server.
2. The web server reads the key associated with the user account from the database.
3. The server compares the user input to the output from generateCurrentNumberString(…).
4. If they are equal, the user is allowed to log in.

code example

public static void main(String[] args) throws Exception {
    
    

        // 生成Base32秘钥
        String base32Secret = TimeBasedOneTimePasswordUtil.generateBase32Secret(32);

        System.out.println("secret = " + base32Secret);

        // 这是可以由验证程序显示的密钥的名称
        String keyId = "hsqyz";
        // 生成二维码
        System.out.println("Image url = " + TimeBasedOneTimePasswordUtil.qrImageUrl(keyId, base32Secret));
        //我们可以将此图像显示给用户，让他们将其加载到他们的身份验证程序中

        // 我们可以在这里使用代码并将其与用户输入进行比较
        String code = TimeBasedOneTimePasswordUtil.generateCurrentNumberString(base32Secret);

        System.out.println("code : "+code);

        /*
         * 此循环显示数字如何随时间变化
         */
        while (true) {
    
    
            long diff = TimeBasedOneTimePasswordUtil.DEFAULT_TIME_STEP_SECONDS
                    - ((System.currentTimeMillis() / 1000) % TimeBasedOneTimePasswordUtil.DEFAULT_TIME_STEP_SECONDS);
            code = TimeBasedOneTimePasswordUtil.generateCurrentNumberString(base32Secret);
            System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
            Thread.sleep(1000);
        }


    }

suyin58 open source two-step verification

Database table structure:

CREATE TABLE `t_user` (
  `username` varchar(30) COLLATE utf8_bin NOT NULL,
  `otp_sk` varchar(64) COLLATE utf8_bin NOT NULL,
  PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;

create user

• Run the main method of RegistTest, pay attention to modify f_temp[temporary QR code image storage directory], email[receive QR code image email address]
  project is deployed under tomcat, login address
• http://127.0.0.1:8580/login.jsp