Is there a Google authenticator API

Question

I am trying to create a web app that is using a two-factor authenticator using the google authenticator, so my question is, is there an api for google authenticator?

Answer 1

Worth mentioning that this npm package - otp lib, contains a decent implementation + it has a very nice demo website

With lots of weakly downloads and very clear documentation, I say it's a great place to start. In a nutshell:

1. Generate a QR code for the user. This is required only for the first time (sign up)
2. Ask your user to enter one-time token (from the user's auth application)
3. Verify the token

So.. first step should be handled in server-side (to properly manage secret)

import qrcode from 'qrcode';
import { authenticator } from '@otplib/preset-default';
 
const user = 'A user name, possibly an email';
const service = 'A service name';
const secret = authenticator.generateSecret();

const otpauth = authenticator.keyuri(user, service, secret);
 
qrcode.toDataURL(otpauth, (err, imageUrl) => {
  if (err) {
    console.log('Error with QR');
    return;
  }
  // send `imageUrl` variable content to your client
});

On your app, you may generate the QR code using the same library

QRCode.toCanvas(canvas, imageUrl, function (error) {
  if (error) 
    console.error(error);
  else 
    console.log('success!');
});

The second phase is to actually build an input in your sign in page (to fetch token) and probably send it over to your backend again.

And the third part would be as simple as this:

const isValid = totp.check(token, secret);

Answer 2

The Google Authenticator app is simply an implementation of the Time-based One-time Passwords spec. See RFC 6238.

The algo takes the system time and a secret key to generate a token. The QR code communicates the secret key entropy and a helpful label for which service it's for, in a simple way to the end user.

The QR code is just a URL scheme which can be looked up. Do not use an online QR code generator, for hopefully obvious reasons.

It's best to use the above to read up on how you can implement this yourself, since no one on a QA site can recommend an API or SDK.

Trust no one.

Answer 3

This one is not free (freemium!)

1. Generate a "secret" code on behalf of your user:

import http.client

conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")

headers = {
    'X-RapidAPI-Key': "KEY_GOES_HERE",
    'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}

conn.request("POST", "/new_v2/", headers=headers)

res = conn.getresponse()
data = res.read()

Server will return you a secret code (e.g. IH225HMVWDS3XJVY). Keep it.

2. Generate QR codes for your users:

import http.client

conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")

payload = "secret=IH225HMVWDS3XJVY&account=User1&issuer=HomeCorp"

headers = {
    'content-type': "application/x-www-form-urlencoded",
    'X-RapidAPI-Key': "KEY_GOES_HERE",
    'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}

conn.request("POST", "/enroll/", payload, headers)

res = conn.getresponse()
data = res.read()

Server will return an url. Pull its PNG data and you get a QR code. Scan it with Google Authenticator app and you'll see TOTPs being generated every 30 seconds.

3. Now validate TOTPs:

import http.client

conn = http.client.HTTPSConnection("otp-authenticator.p.rapidapi.com")

payload = "secret=IH225HMVWDS3XJVY&code=425079"

headers = {
    'content-type': "application/x-www-form-urlencoded",
    'X-RapidAPI-Key': "KEY_GOES_HERE",
    'X-RapidAPI-Host': "otp-authenticator.p.rapidapi.com"
}

conn.request("POST", "/validate/", payload, headers)

res = conn.getresponse()
data = res.read()

Thats in Python (http.client lib), but the platform (RapidAPI) generates code snippets in most popular programming languages/libs like Java, PHP and others - quite handy