Jump to content
View in the app

A better way to browse. Learn more.
FMForums.com

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Google Authenticator two step verification

backsmith
in Security Concepts

Featured Replies

Hi

I have become interested in a two step verification for my hosted FM database.

One option is to SMS a code and wait for the user to enter the correct code before allowing full access.

A better option is to use TOTP - google verification.    I have done lots of reading but I don't think I am clever enough to workout how to make the scripts / custom formula to turn the preshared sectret and the UTC into the 6 digits that Google authenticator generates.

 

Has anyone got this to work and would you be willing to share the math?

 

Thanks

 

John

 

I have not worked out using Google's authentication methods...but trying to build on security that is based on 3rd party tools can be...well...precarious.

Take a look at this to see if it's something that can work for you. I've not dug into it too much, but it's an option.

http://timdietrich.me/fmauthenticator/

  • Author

Thanks Josh for the link.

The FMAUTHENTICATOR uses the SMS or email route.  I may need to settle for this.

The TOTP route uses a 16 character preshared key.  This is appended to the unix universal time coed (which I can calculate).

The whole thing is then encoded with SHA-1 (too tricky for me)

and then truncated into six decimal digits.

 

Some psudo FM code would be.

$sixdigits = Truncated (Decimal (SHA-1 encode (Padded to 160 bits ( $SIXTEENCHARACTERS & $UNIXTIMECODE))))

When you give Google authenticator the preshared 16 characters it uses the same formula to generate the $sixdigits.

 

The truncation means the code lasts for 30 seconds. 

There are python listings to do it but the hex/digital/padding/truncating is quite heavy coding for me.

Thanks again for your suggestion.

 

John

Here is a good link  http://jacob.jkrall.net/totp/

explaining what I need to do.

J

It may be that the method is good and secure...the issues comes with integration with FM. It is often possible to circumvent your "custom" security add-on and still gain access because FM has authenticated the user to allow access.

Josh has noted a key issue.  The so-called 2nd authentication factor is not authentication because it happens after access is granted to the file, not before as a precondition for that access.

Moreover, since it appears to rely on scripted processes, it likely is rather easily defeated.  It is fairly trivial to bypass the opening script, so that process is not a good one.

Using External Server Accounts with an Active Directory Domain Controller can in many instances accomplish the two factor authentication that you seek.

Steven

Create an account or sign in to comment

https://fmforums.com/topic/98123-google-authenticator-two-step-verification/
Go to topic listing

Important Information

By using this site, you agree to our Terms of Use.

I accept

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.