Testing the 2-Factor functionality in your code

05 Jul, 2021

If you're writing software with 2-Factor Authentication (2FA/MFA) and you're rightfully avoiding using emails or SMS messages, then you're probably implementing one of two well-known algorithms where the user retrieves a code from an app of their phone. If the codes on the user's phone cycle on a regular interval then that's using an algorithm known as Time-based One-Time Password (TOTP).

When implementing TOTP into your software you're going to have to test it! Websites like FreeOtp can be used to generate TOTP configurations, and apps like the Google Authenticator can be used to generate the codes from those configurations, but there doesn't seem to be a simple well-known solution for doing both. Fear not though, because I have created totp-online.tobythe.dev/!

Totp-Online can be used to generate TOTP configurations of all shapes and sizes, as well as generate the codes to use in your software to log in. Note that it's not cryptographically secure so you shouldn't be using it in production but it does store your configurations in local storage so they're there the next time you visit.

Support

While most of the TOTP apps that your users will be using only support SHA-1 hashing, 30 seconds time intervals, and 6-digit codes, Totp-Online allows you to configure all the possibilities that the TOTP IETF standard supports.

The supported hashing algorithms are:

  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512

The supported time intervals (periods) are:

  • 15 seconds
  • 30 seconds
  • 1 minute
  • 2 minutes
  • 5 minutes
  • 10 minutes

Totp-Online also supports code lengths between 6 and 10.

Ranges

It might not be very well known, but when a user inputs their TOTP code into a website, they usually don't need to use the current code specifically. Usually, software that implements TOTP authentication allows the user to input one of a range of codes to allow for clock-drift and the delay it takes for a user to use the code. This means if your code changes, it's still probably good for using for around a minute or so - depending on the software's implementation.

For those developing TOTP into their app, Totp-Online allows you to see a whole range of codes for a given configuration. By clicking on the context menu of a config and selecting "View code range" you can see 5 codes into the past and 5 codes into the future. This allows you to test the ranges that your software supports and ensure that it's to your liking.