(blog.dogac.dev)

248 points dogacel | 2 comments | 11 Apr 25 13:06 UTC | HN request time: 0.46s | source

Show context

yuliyp ◴[15 Apr 25 03:09 UTC] No.43688638[source]▶

Facebook's login/account recovery codes are not TOTP/HOTP, but are random numbers. Also, the author struggled to check their implementation. One can easily compare an implementation of many websites by grabbing the QR codes they use for login and importing into your favorite authenticator app and also decoding the QR code to get the secret. In theory your code should produce the same codes at the same time as the app.

replies(2): >>43688903 #>>43690655 #

dogacel ◴[15 Apr 25 04:10 UTC] No.43688903[source]▶

>>43688638 #

Hi,

> Also, the author struggled to check their implementation. One can easily compare an implementation of many websites by grabbing the QR codes they use for login and importing into your favorite authenticator app and also decoding the QR code to get the secret.

Can you clarify this? It's been some time since I have written the code, AFAIK it was working fine. Did you see any discrepencies when you tested the implementation against a real authenticator app?

replies(1): >>43693575 #

1. yuliyp ◴[15 Apr 25 14:50 UTC] No.43693575[source]▶

>>43688903 #

I was responding to the statement at the bottom of the article: "however I have struggled to find a website that help me check my implementation as their secret-key representations were not standardized. Thus, I have published my own short demo app to showcase." The Google Authenticator QR codes end up being a fairly standardized secret key representation.

replies(1): >>43693705 #

2. dogacel ◴[15 Apr 25 14:58 UTC] No.43693705[source]▶

>>43693575 (TP) #

Even though QR codes are standardized, the original RFCs do not use QR codes. That's what I tried to mean, you can't find apps that use plain-text secrets.

↑

Behind the 6-digit code: Building HOTP and TOTP from scratch