Jump to content

Google Authenticator two step verification


backsmith

This topic is 3081 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Hi

I have become interested in a two step verification for my hosted FM database.

One option is to SMS a code and wait for the user to enter the correct code before allowing full access.

A better option is to use TOTP - google verification.    I have done lots of reading but I don't think I am clever enough to workout how to make the scripts / custom formula to turn the preshared sectret and the UTC into the 6 digits that Google authenticator generates.

 

Has anyone got this to work and would you be willing to share the math?

 

Thanks

 

John

 

Link to comment
Share on other sites

I have not worked out using Google's authentication methods...but trying to build on security that is based on 3rd party tools can be...well...precarious.

Take a look at this to see if it's something that can work for you. I've not dug into it too much, but it's an option.

http://timdietrich.me/fmauthenticator/

Link to comment
Share on other sites

Thanks Josh for the link.

The FMAUTHENTICATOR uses the SMS or email route.  I may need to settle for this.

The TOTP route uses a 16 character preshared key.  This is appended to the unix universal time coed (which I can calculate).

The whole thing is then encoded with SHA-1 (too tricky for me)

and then truncated into six decimal digits.

 

Some psudo FM code would be.

$sixdigits = Truncated (Decimal (SHA-1 encode (Padded to 160 bits ( $SIXTEENCHARACTERS & $UNIXTIMECODE))))

When you give Google authenticator the preshared 16 characters it uses the same formula to generate the $sixdigits.

 

The truncation means the code lasts for 30 seconds. 

There are python listings to do it but the hex/digital/padding/truncating is quite heavy coding for me.

Thanks again for your suggestion.

 

John

Here is a good link  http://jacob.jkrall.net/totp/

explaining what I need to do.

J

Link to comment
Share on other sites

It may be that the method is good and secure...the issues comes with integration with FM. It is often possible to circumvent your "custom" security add-on and still gain access because FM has authenticated the user to allow access.

Link to comment
Share on other sites

Josh has noted a key issue.  The so-called 2nd authentication factor is not authentication because it happens after access is granted to the file, not before as a precondition for that access.

Moreover, since it appears to rely on scripted processes, it likely is rather easily defeated.  It is fairly trivial to bypass the opening script, so that process is not a good one.

Using External Server Accounts with an Active Directory Domain Controller can in many instances accomplish the two factor authentication that you seek.

Steven

Link to comment
Share on other sites

This topic is 3081 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.