foreword
Two-factor authentication (English: Two-factor authentication, abbreviated as 2FA), also translated as two-factor authentication, two-factor authentication, two-factor authentication, also known as two-step verification (2-Step Verification, also translated as two-step verification), is a kind of Authentication method.
Principle
The generation method of dynamic password mainly uses the time difference as the synchronization condition between the server and the password generator. When you need to log in, the password generator is used to generate a dynamic password. OTP is generally divided into two types: time-use and time-use. After the time-use OTP is produced, it can be used for an unlimited time; the time-use OTP You can set the valid time of the password, ranging from 30 seconds to two minutes, and the OTP will be discarded after authentication, and a new password must be used for the next authentication, which increases the difficulty of trying to access restricted resources without authorization.
TOTP Technical Standard
https://datatracker.ietf.org/doc/html/rfc6238
Related technical documents
Use OTP dynamic password (changes every minute) for login authentication
Quickly generate QR code using Google API
String format for OTP scan
Format:
otpauth://totp/账号?secret=秘钥
Example:
otpauth://totp/花伤情犹在?secret=RR7VFLUFFJPJ4FYFS66REZG6FROEI55M
Tokens can be added manually by entering the account and key
Use 阿里云身份宝
or Google Authenticator
time synchronization to achieve OTP dynamic password
Or generate a QR code from the OTP string
Forage QR code generator: https://cli.im/
Tokens can be added by manually entering an account and secret key or by scanning a QR code
Generate QR code with Google API
This project is to use Google API
the generated QR code
Link parameter details:
https://chart.googleapis.com/chart?
This is the head of the Google Chart API, just copy it directly~&cht=qr
This means that the chart type is qr, which is a two-dimensional code.&chs=200×200
This means that the size of the generated image is 200×200, which is width x height. This is not the real size of the generated image, it should be the maximum size.&choe=UTF-8
This means that the encoding format of the content is UTF-8, and this value defaults to UTF-8. For other encoding formats, please refer to the Google API documentation.&chld=L|4 L
Represents the default error correction level; 4 represents the margin size of the QR code, which can be adjusted by yourself. For specific parameters, please refer to the Google API documentation.&chl=XXXX
This is the QR content, which is the information you see after decoding. Please use UTF-8 encoding Chinese characters when including Chinese, otherwise there will be problems.
j256 open source two-step verification
2-step verification
<dependency>
<groupId>com.j256.two-factor-auth</groupId>
<artifactId>two-factor-auth</artifactId>
<version>1.3</version>
</dependency>
2-step verification Java code
Two-step authentication (2FA) Java code that uses a time-based one-time password (TOTP) algorithm. You can use this code with the Google Authenticator mobile app or the Authy mobile or browser app.
- See the Wikipedia page on TOTP
- Code available from git repository
- Maven packages are published by
generate key
- Used to generateBase32Secret() to generate a secret in base-32 format for the user. For example: "NY4A5CPJZ46LXZCP"
- Store the key in the database associated with the user account.
- Displays the QR code image URL returned by qrImageUrl(…) to the user.
The user loads the key into his authenticator app using the image.
verification key
- The user enters the number from the authenticator application into a login form on the web server.
- The web server reads the key associated with the user account from the database.
- The server compares the user input to the output from generateCurrentNumberString(…).
- If they are equal, the user is allowed to log in.
code example
public static void main(String[] args) throws Exception {
// 生成Base32秘钥
String base32Secret = TimeBasedOneTimePasswordUtil.generateBase32Secret(32);
System.out.println("secret = " + base32Secret);
// 这是可以由验证程序显示的密钥的名称
String keyId = "hsqyz";
// 生成二维码
System.out.println("Image url = " + TimeBasedOneTimePasswordUtil.qrImageUrl(keyId, base32Secret));
//我们可以将此图像显示给用户,让他们将其加载到他们的身份验证程序中
// 我们可以在这里使用代码并将其与用户输入进行比较
String code = TimeBasedOneTimePasswordUtil.generateCurrentNumberString(base32Secret);
System.out.println("code : "+code);
/*
* 此循环显示数字如何随时间变化
*/
while (true) {
long diff = TimeBasedOneTimePasswordUtil.DEFAULT_TIME_STEP_SECONDS
- ((System.currentTimeMillis() / 1000) % TimeBasedOneTimePasswordUtil.DEFAULT_TIME_STEP_SECONDS);
code = TimeBasedOneTimePasswordUtil.generateCurrentNumberString(base32Secret);
System.out.println("Secret code = " + code + ", change in " + diff + " seconds");
Thread.sleep(1000);
}
}
suyin58 open source two-step verification
Database table structure:
CREATE TABLE `t_user` (
`username` varchar(30) COLLATE utf8_bin NOT NULL,
`otp_sk` varchar(64) COLLATE utf8_bin NOT NULL,
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
create user
- Run the main method of RegistTest, pay attention to modify f_temp[temporary QR code image storage directory], email[receive QR code image email address]
project is deployed under tomcat, login address - http://127.0.0.1:8580/login.jsp