Two-factor offline-based Authentication how will you implement it?

Two-factor authentication is gaining popularity. A lot of web applications are implementing it for extra security.

Scenario & problem: Suppose you worked in a corporate and you have thousands of field officers who have access to your web portal from the office and no internet on their office phone and you want to protect your web access with two-factor authentication but they have no email address also. And it’s so expensive to send sms for authentication you know already.

So here is the process you can consider for authentication

This looks like an old approach where the internet is limited or you have limited access to your mail server or you won’t bear sms cost.

Time-based One-Time Passwords

How does the TOTP-based method work?

By using the TOTP method, we are creating a one-time password on the user side (instead of the server side) through a smartphone application.

This means that users always have access to their one-time password. So it prevents the server from sending a text message every time a user tries to log in.

Also, the generated password changes after a certain time interval, so it behaves like a one-time password.

Process?

1. Backend server creates a secret key for that particular user & then shares that secret key with the user’s phone application by any method you choose like QR or others
2. Phone application initializes a counter.
3. User Application will generate a One-time password from his smartphone with the secret key and the counter.
4. Use this password in the web application
5. Server validates the one-time password
6. Phone application changes the counter after a certain interval and regenerates the one-time password making it dynamic.

So how will you generate the one-time password? and of course, it should be like 6/8 digits otherwise user will be bored entering this password.

and solutions are here

RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm

you can check the document.

Here below, I am implementing this algorithm with Asp.net C#

    public static string GenerateHOTP(string secretKey, long counter)
        {
            byte[] counterBytes = BitConverter.GetBytes(counter);
            if (BitConverter.IsLittleEndian)
                Array.Reverse(counterBytes); // Ensure big-endian byte order

            byte[] keyBytes = Encoding.ASCII.GetBytes(secretKey);

            using (HMACSHA1 hmac = new HMACSHA1(keyBytes))
            {
                byte[] hash = hmac.ComputeHash(counterBytes);
                int offset = hash[hash.Length - 1] & 0x0F; // Get the offset

                // Get a subset of 4 bytes from the hash based on the offset
                int binaryCode = ((hash[offset] & 0x7F) << 24) |
                                 ((hash[offset + 1] & 0xFF) << 16) |
                                 ((hash[offset + 2] & 0xFF) << 8) |
                                 (hash[offset + 3] & 0xFF);

                int otp = binaryCode % (int)Math.Pow(10, Digits); // Convert to desired number of digits
                return otp.ToString().PadLeft(Digits, '0'); // Pad with leading zeros if necessary
            }
        }

You can generate it with Java also to implement it in your Android app

and here is the validator

    public static bool Validate(string secretKey,long counter,string userOTP )
        {
            string expectedOTP = GenerateHOTP(secretKey, counter);

            bool isValid = expectedOTP == userOTP;

            if (isValid)
            {
                // Password is valid, proceed with login
                Console.WriteLine("Login successful!");
            }
            else
            {
                // Password is invalid, deny access
                Console.WriteLine("Invalid one-time password. Access denied.");
            }
            return isValid;
        }

Happy coding….