One Time Pass-code generator, symantec vip-access compatible, any device

[RFC-6238, TOTP, 30sec, 6 digits, SHA1, aka Google Authenticator]


This is a javascript based RFC-6238 compatible One Time Pass-code generator (OTP generator). It uses a SHA-1 Hashed Message Authentication Code (HMAC) with a time based counter and an expiry interval of 30sec.

The Time-Based OTP algorithm is compatible with VeriSign, Symantec, Google and others. The implementation is device independent and can therefore be used across different platforms, including older mobile phones, which are no longer supported by current app-store apps. All code runs only locally in your browser and none of the data is sent over the network.

To use this OTP generator you will need a base-32 encoded secret. How to obtain this secret in case of Symantec VIP-Access or Google is described further down.

Base32 secret:

show secret: 


OTP:
Sec remaining:
UTC time:

Usage: Google Authenticator

Google Authenticator provides the secret code via a QR-code image. If you run linux then you can decode the QR-code by taking a screen-shot and processing it with zbarimg (part of zbar-tools package). The code after "secret=" is the base-32 encoded secret.

Usage: Symantec VIP-access

Symantec VIP-access uses a rest-API to provision the token generator. A credential-ID and the corresponding secret code is obtained during the provisioning phase. This happens normally during the installation of e.g the Symantec VIP-access mobile phone app. To use the above OTP generator instead of the official Symantec VIP-access app you will need two strings: base-32 encoded secret and credential-ID.

The easiest way to get both is to install python-vipaccess (https://github.com/dlenski/python-vipaccess) and run
vipaccess provision -t SYMZ

The above command provisions a new OTP token generator and generates the file $HOME/.vipaccess. This .vipaccess file contains all the data you need (credential-ID to register the new token with Symantec and the base-32 encoded secret which you need for this javascript based OTP generator).

What are One Time Passwords (OTP)?

One time passwords are an authentication method based on shared secrets but the actual secret is not sent over the network. Instead a time limited pass-code is derived from the shared secret and that pass-code is used during authentication. This prevents an attacker who was able to listen-in on the network connection from successfully re-playing the data.

This particular TOTP algorithm produces tokens that expire after 30 seconds. To work reliably the device running this javascript implementation of must have accurate time or almost accurate time and should at most by off by a few seconds. UTC (greenwich mean time) is used by this algorithm. If you notice that pass-code tokens do sometimes not work then check the time. The above application displays the current UTC time as seen by your web-browser.

Alternate TOTO generator applications

The implementation provided by this OTP generator is equivalent to the linux command:
oathtool -d6 --base32 --totp -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA or simply: oathtool --base32 --totp -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Where "AAA..." is the base-32 encoded secret (dummy secret, replace with your real secret).

Just this TOTP application

References



Written by Guido Socher, MIT license ( guidosocher@fastmail.fm )
version info: 2018-05-25 -- first version, 2018-06-08 -- editorial updates, 2018-06-10 added google authenticator