So here I am, skrewing around with the Google Authenticator app and the dodgiest base32 code generator I've ever built and generating a 56 char unique ID, and a 8 digit time based code.

WTF, all these products, services and logins that use 6 digit codes... and this fucking thing can handle 8 without breaking 😑

Now... to hook it into a QR code class... and spit out an image I can actually scan, without calling google charts api.

I can't say I've written one of those before 🙃

  • 3
  • 2
    Do you have any links to documentation for this?
  • 6
    Yeah, the HOTP RFC, on which TOTP is based as well actually allows for a variable length of the token. 6 is just recommended as the minimal value, I assume that's why it is used everywhere.
  • 3
    @Abrynos maybe at a point where I'm not messing around with it anymore and looking to make it production viable.

    Otherwise the RFC isn't too complicated if you've worked with base32 algos before.

    Best doc I came across in my journeys last night which got me to the secret key/code

    Still need to do the verification side of it.

    If you use googles charts to generate a QR code, url encode the otpauth:// part.
  • 2
  • 1
  • 1
    Ok, so implementing the 8 digit code is not a good idea.
    Android and blackberry ignore the digits part and just generates 6, which makes sense.... not.

    Not even google follow the RFC 🤦‍♂️
    Fuck my duck!

    Back to 6 I go.
    Hell I probably can't use huge base32 seeds either on other devices.
Add Comment