Authenticating

To authenticate a user use the Hotp.verify method, passing the password that the user provided along with the user's base32 encoded secret key.

var secret = "NSPUNKGGGVFK7DNXZV5BPBZJ7AQ5TTIK"; // Secret for the user's account
var password = 548056; // Password provided by the user

var valid = lcapps.crypto.Hotp.verify(secret, password);

The example above should cover most use cases. There are additional arguments for different password lengths, time-range leniency, and hashing methods if needed.

It is recommended to not accept the same password for a user multiple times.

Enrolling Users

In order to set up multi-factor authentication for a user, the application must generate base32 encoded a secret key. This key will be used by both the user's authentication app and the application the user is logging in to. A simple secret generation method is available as Hotp.createSecret.

The secret is typically registered in the user's authentication app using a QR code. This library doesn't provide tools for generating QR code graphics but it can create the URI that may be used to generate a QR code.

var userName = "test";
var domain = "lc-apps.co.uk";
var secret = lcapps.crypto.Hotp.createSecret();
var issuer = "LC Apps";

lcapps.crypto.Hotp.createAuthenticatorUri(userName, domain, secret, issuer);

The above example would create the URI otpauth://totop/LC%20Apps:test@lc-apps.co.uk?secret=NSPUNKGGGVFK7DNXZV5BPBZJ7AQ5TTIK&issuer=LC%20Apps. This URI would then be encoded as a QR code for the user to register the key into their authentication app.