1f349/twofactor
4
0
Fork 0
mirror of https://github.com/1f349/twofactor.git synced 2024-12-22 07:24:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated README

Browse Source
This commit is contained in:
silenteh 2017-04-08 09:52:55 +02:00
parent 9cd7848ac8
commit 70189459df
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -32,25 +32,25 @@ This package implements the RFC 6238 OATH-TOTP algorithm;
### Storing Keys
> **The key is created using Golang crypto random function. It's a secret key and therefore**
> it needs to be protected against unauthorized access. The key cannot be leaked, otherwise the security is completely compromised.
> The key is created using Golang crypto random function. It's a **secret key** and therefore
> it needs to be **protected against unauthorized access**. The key cannot be leaked, otherwise the security is completely compromised.
> The key is presented to the user in a form of QR Code. Once scanned the key should never be revealed again.
> In addition when the QR cide is shared with the client for scanning, the connection used must be secured.
> In addition when the QR code is shared with the client for scanning, the connection used must be secured (HTTPS).
The `totp` struct can be easily serialized using the `ToBytes()` function.
The bytes can then be stored on a persistent layer. The bytes are encrypted using `cryptoengine` library (NaCl)
The bytes can then be stored on a persistent layer (database for example). The bytes are encrypted using `cryptoengine` library (NaCl)
You can then retrieve the object back with the function: `TOTPFromBytes`
> You can transfer the bytes securely via a network connection because they are encrypted and authenticated.
> You can transfer the bytes securely via a network connection (Ex. if the database is in a different server) because they are encrypted and authenticated.
The struct needs to be stored in a persistent layer becase its values, like last token verification time,
max user authentication failures, etc.. needs to be preserved.
max user authentication failures, etc.. need to be preserved.
The secret key needs to be preserved too, between the user accound and the user device.
The secret key is used to derive tokens.
The secret key is in fact used to derive tokens.
### Upcoming features
* Securely store the secret keys in the persistent layer and allow secure transfer on the network
* Generation of recovery tokens.
* Integration with Twilio for sending the token via SMS, in case the user loses its entry in the Google authenticator app.
@ -103,7 +103,7 @@ import github.com/sec51/twofactor
* [RFC 6238 - *TOTP: Time-Based One-Time Password Algorithm*](https://tools.ietf.org/rfc/rfc6238.txt)
* The [Key URI Format](https://code.google.com/p/google-authenticator/wiki/KeyUriFormat)
* The [Key URI Format](https://github.com/google/google-authenticator/wiki/Key-Uri-Format)
### Author