Google Authenticator implementation in Python

by

I wanted to set a bounty on my question, but I have succeeded in creating solution. My problem seemed to be connected with incorrect value of secret key (it must be correct parameter for base64.b32decode() function).

Below I post full working solution with explanation on how to use it.

Code

The following code is enough. I have also uploaded it to GitHub as separate module called onetimepass (available here: https://github.com/tadeck/onetimepass).

import hmac, base64, struct, hashlib, time

def get_hotp_token(secret, intervals_no):
    key = base64.b32decode(secret, True)
    msg = struct.pack(">Q", intervals_no)
    h = hmac.new(key, msg, hashlib.sha1).digest()
    o = ord(h[19]) & 15
    h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
    return h

def get_totp_token(secret):
    return get_hotp_token(secret, intervals_no=int(time.time())//30)

It has two functions:

  • get_hotp_token() generates one-time token (that should invalidate after single use),
  • get_totp_token() generates token based on time (changed in 30-second intervals),

Parameters

When it comes to parameters:

  • secret is a secret value known to server (the above script) and client (Google Authenticator, by providing it as password within application),
  • intervals_no is the number incremeneted after each generation of the token (this should be probably resolved on the server by checking some finite number of integers after last successful one checked in the past)

How to use it

  1. Generate secret (it must be correct parameter for base64.b32decode()) – preferably 16-char (no = signs), as it surely worked for both script and Google Authenticator.
  2. Use get_hotp_token() if you want one-time passwords invalidated after each use. In Google Authenticator this type of passwords i mentioned as based on the counter. For checking it on the server you will need to check several values of intervals_no (as you have no quarantee that user did not generate the pass between the requests for some reason), but not less than the last working intervals_no value (thus you should probably store it somewhere).
  3. Use get_totp_token(), if you want a token working in 30-second intervals. You have to make sure both systems have correct time set (meaning that they both generate the same Unix timestamp in any given moment in time).
  4. Make sure to protect yourself from brute-force attack. If time-based password is used, then trying 1000000 values in less than 30 seconds gives 100% chance of guessing the password. In case of HMAC-based passowrds (HOTPs) it seems to be even worse.

Example

When using the following code for one-time HMAC-based password:

secret="MZXW633PN5XW6MZX"
for i in xrange(1, 10):
    print i, get_hotp_token(secret, intervals_no=i)

you will get the following result:

1 448400
2 656122
3 457125
4 35022
5 401553
6 581333
7 16329
8 529359
9 171710

which is corresponding to the tokens generated by the Google Authenticator app (except if shorter than 6 signs, app adds zeros to the beginning to reach a length of 6 chars).

More Related Contents:

  1. What are the risks of running ‘sudo pip’?
  2. Security of Python’s eval() on untrusted strings?
  3. Is distributing python source code in Docker secure?
  4. Python urllib2, basic HTTP authentication, and tr.im
  5. Salt and hash a password in Python
  6. Login credentials not working with Gmail SMTP
  7. Python urllib2 Basic Auth Problem
  8. Hiding a password in a python script (insecure obfuscation only)
  9. Change to sudo user within a python script
  10. Securely Erasing Password in Memory (Python)
  11. How to use pip on windows behind an authenticating proxy
  12. How to check if a user is logged in (how to properly use user.is_authenticated)?
  13. Python 3, Are there any known security holes in ast.literal_eval(node_or_string)?
  14. Forbidden (403) CSRF verification failed. Request aborted. Even using the {% csrf_token %}
  15. Authenticating against active directory using python + ldap
  16. How do you access an authenticated Google App Engine service from a (non-web) python client?
  17. Accepting email address as username in Django
  18. Django: signal when user logs in?
  19. Mark data as sensitive in python
  20. Login to website using python
  21. Is a SQLAlchemy query vulnerable to injection attacks?
  22. Python request with authentication (access_token)
  23. Create a temporary FIFO (named pipe) in Python?
  24. Securely storing passwords for use in python script [duplicate]
  25. Encrypted and secure docker containers
  26. What is a Pythonic way for Dependency Injection?
  27. Do CSRF attacks apply to API’s?
  28. What’s the purpose of Django setting ‘SECRET_KEY’?
  29. Python 3 – urllib, HTTP Error 407: Proxy Authentication Required
  30. Authentication with Azure Active Directory – how to accept user credentials programmatically

Leave a Comment