Two-Step verification
Should everyone be familiar with two-step verification? If Apple has its own two-step verification strategy to prevent user account password theft and lock the phone to blackmail, this is not uncommon, so Apple recommends that you open two-step verification.
Google's authenticator is also typically used for two-step verification of login, and Apple's two-step verification is the same. Only Google's authentication is used more broadly, such as GitHub's two-step verification is based on Google authenticator.
About Google Authenticator
Google Authenticator Authenticator is a two-step verification software token based on a time-and-hash one-off cryptographic algorithm that users need to download the mobile app (Authenticator), which binds to the website, When the Web site verifies the user name and password, the corresponding generated 6-digit verification code number is verified on the APP, and the login is successful, otherwise the logon fails.
Google Authenticator Use
Let's take a look at the app on Github that uses Google authenticator to turn on two-step verification.
, the default Github is no two-step verification, click the Settings button to set.
Github provides two-step verification based on the APP (Google Authenticator) and SMS verification code, and we choose the first Google authenticator.
Enter the first verification mode, and then a bunch of recovery codes are displayed to use when the APP validator doesn't work in an emergency situation. Save them, then click Next.
This is the key to the authenticator, download Google's Authenticator
APP, and then scan the QR code for binding.
After the binding, the APP Github module will display a 6-bit verification code below and enter it into the box above.
As shown, two-step verification has been successfully turned on.
Next we exit Github and log in again, and the page will prompt you to enter Google's authenticator verification code, and if the APP doesn't work properly, you can log in at the bottom with a previously saved recovery code.
Well, Google Authenticator use it here, how does it work, and what does it do? Our website, APP How to access Google Authenticator, then we pull the puzzle.
Google Authenticator Workflow
In fact, Google Authenticator uses the TOTP algorithm (time-based one-time Password, a time-based one-off password), and its core content includes the following three points.
1. Security key
Is the client and the service side of the agreed security key, is also the mobile phone APP authenticator binding (mobile phone side through scanning or hand-lost security key to bind) and verification code verification requires a unique security key, the key is generated by the encryption algorithm, and finally by BASE32 encoded.
2. Verification time
Google chose 30 seconds as the time slice, and the number of T is 30 seconds from the Unix epoch (January 1, 1970 00:00:00), so in Google Authenticator we can see that the verification code is refreshed every 30 seconds.
More detailed principle Reference:
https://blog.seetee.me/post/2011/google-two-step-verification/
3. Signature Algorithm
Google uses the HMAC-SHA1 algorithm, the full name is: Hash-based message authentication Code (hash operation message authentication code), it is a key and a message as input, generate a message digest as output, here to SHA1 The algorithm is entered as a message.
The HMAC algorithm is used because only the user knows the correct input key, and therefore the output is unique, and the algorithm can be simply expressed as:
HMAC = SHA1 (Secret + SHA1 (secret + input))
In fact, TOTP is a superset of HMAC-OTP (one-time password generation based on HMAC), except that TOTP takes the current time as input, while HMAC-OTP is the input of the self-increment calculator, which needs to be synchronized when used.
Google Authenticator Combat
Knowing the above principle, we can apply the actual combat.
/** * 公众号:Java技术栈 */public class AuthTest { @Test public void genSecretTest() { String secret = GoogleAuthenticator.generateSecretKey(); String qrcode = GoogleAuthenticator.getQRBarcodeURL("Java技术栈", "javastack.cn", secret); System.out.println("二维码地址:" + qrcode); System.out.println("密钥:" + secret); } @Test public void verifyTest() { String secret = "ZJTAQGLVOZ7ATWH2"; long code = 956235; GoogleAuthenticator ga = new GoogleAuthenticator(); boolean r = ga.verifCode(secret, code); System.out.println("是否正确:" + r); }}
The first method is to generate a key and a URL that scans the two-dimensional code bindings.
The second method is to validate against the key and the verification code.
The source code logic reference for the Googleauthenticator class is provided here only.
http://awtqty-zhang.iteye.com/blog/1986275
If there is a harvest welcome to the forwarding, you can also leave a message to publish your questions and views.
Tutorial: The most powerful Spring Boot & Cloud Tutorial Summary in history
Tools: Recommend an online authoring flowchart, Mind mapping software
Two-step verification killer: Java Access Google Authenticator combat