Strange results
baruchhiz opened this issue · comments
Hey,
I used the code as is my main is
GoogleAuthenticator gAuth = new GoogleAuthenticator(gacb.build());
gAuth = new GoogleAuthenticator();
final GoogleAuthenticatorKey key = gAuth.createCredentials();
GoogleAuthenticator gAuth = new GoogleAuthenticator();
boolean isCodeValid = gAuth.authorize(key.getKey(), key.getVerificationCode);
isCodeValid = false. Why ?
chaning setWindowSize(1000000) cause it to return true, but calling gAuth.authorize(key.getKey(), key.getVerificationCode + 1) also return true !!!
Thanks,
Baruch
I strongly suggest you read about TOTP: understanding what it is and how it works is necessary to use this library correctly. The verification code basically is the TOTP password at time 0.
Dear Enrico,
I saw in your pdf that
The verification code2 verificationCode. The verification code is an optional feature which is not used by some clients such as Google Authenticator.
Please can u explain how to change this time ?
I Thought that the 30 seconds is the default.
And I still don’t understand why changing the setWindowSize(1000000) return true and giving the original verification code + 1 still return true
Your kindly help will be helpful
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Monday, May 16, 2016 8:10 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Author
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
I strongly suggest you read about TOTP: understanding what it is and how it works is necessary to use this library correctly. The verification code basically is the TOTP password at time 0.
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219483683
Hi @baruchhiz, I think there is a bit of confusion:
- The validation code is the TOTP password at time 0: nothing more than that.
- 30 seconds is the window size: you can change it using a custom configuration (
GoogleAuthenticatorConfig) but beware the value you use must be the same value used by your client devices.
The reason why you're seeing that behaviour is that: every n seconds, where n is the windows size, a new TOTP password is generated. If you use the default 6-digit password you have 10^6 = 1,000,000 different values (from 0 to 999,999). Validating a password using windowSize = 1_000_000 basically means checking that a TOTP password was generated in the time interval centred on the current instant and whose size is 1_000_000 time windows. That is to say: check if any of 1,000,000 consecutive TOTP passwords (starting from a specific point in time, but it's irrelevant for this discussion) has the value you specify. Since you're picking on a set whose size is 1,000,000, the odds are really high.
Hey Enrico,
10x a lot for your answer. !!!
How can I generate a password to the client and pass it to the server ?
If I understand the password created at time 0 and now I call auth(). Should I call it with time 0 inorder to work ?
I don't have any tokens / client device
My flow is :
Server created verification.
Sms it to the client,
the client send it
the server check it again.
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Tuesday, May 17, 2016 5:08 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Mention
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
Hi @baruchhizhttps://github.com/baruchhiz, I think there is a bit of confusion:
· The validation code is the TOTP password at time 0: nothing more than that.
· 30 seconds is the window size: you can change it using a custom configuration (GoogleAuthenticatorConfig) but beware the value you use must be the same value used by your client devices.
The reason why you're seeing that behaviour is that: every n seconds, where n is the windows size, a new TOTP password is generated. If you use the default 6-digit password you have 10^6 = 1,000,000 different values (from 0 to 999,999). Validating a password using windowSize = 1_000_000 basically means checking that a TOTP password was generated in the time interval centred on the current instant and whose size is 1_000_000 time windows. That is to say: check if any of 1,000,000 consecutive TOTP passwords (starting from a specific point in time, but it's irrelevant for this discussion) has the value you specify. Since you're picking on a set whose size is 1,000,000, the odds are really high.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219728654
Hi @baruchhiz,
Ok, I understand your use case. You can do the following:
- Pass the validation code to the client.
- Validate the validation code using the
authorize(String, int, long)method where the last parameter is0(as I explained, the validation code is the password at time0).
No need to fiddle with any other parameters, you can leave everything as is.
Hi Enrico,
I thought to do that, but the problem that the method always return true, without taking the 30 seconds default when the password should be changed and became false.
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Tuesday, May 17, 2016 5:59 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Mention
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
Hi @baruchhizhttps://github.com/baruchhiz,
Ok, I understand your use case. You can do the following:
- Pass the validation code to the client.
- Validate the validation code using the authorize(String, int, long) method where the last parameter is 0 (as I explained, the validation code is the password at time 0).
No need to fiddle with any other parameters, you can leave everything as is.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219745026
Hi @baruchhiz,
I'm afraid that's the misunderstanding. "Time" in that context is absolute: so, when you say "at time 0" you mean a specific instant in time. After 30 seconds, 30 days, or 30 years, nothing will change: the validation code will always be valid at time 0.
I guess what you're trying to do is creating on the server a TOTP password for a client to send it back to you. The validation code can work, but it won't expire. If that's what you want, you're not getting it right with this library because it is not exporting the methods to create TOTP passwords, just validate them.
Another thing: if that's what you want, I suggest you open another issue asking for that feature to be published through the library API. It won't happen today, but it'd be quick.
Whhhoo great !!! 10x a lot. I'm opening it now…
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Tuesday, May 17, 2016 7:36 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Mention
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
Another thing: if that's what you want, I suggest you open another issue asking for that feature to be published through the library API. It won't happen today, but it'd be quick.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219776458
Hey
I opened it
#39
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: ברוך חזקיה
Sent: Tuesday, May 17, 2016 7:40 PM
To: 'wstrange/GoogleAuth'
Subject: RE: [wstrange/GoogleAuth] Strange results (#38)
Whhhoo great !!! 10x a lot. I'm opening it now…
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Tuesday, May 17, 2016 7:36 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Mention
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
Another thing: if that's what you want, I suggest you open another issue asking for that feature to be published through the library API. It won't happen today, but it'd be quick.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219776458
Hey,
Who !!! that's fast !!!!!!!!
It works !
I'm really appreciated it.
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: ברוך חזקיה
Sent: Tuesday, May 17, 2016 7:46 PM
To: 'wstrange/GoogleAuth'
Subject: RE: [wstrange/GoogleAuth] Strange results (#38)
Hey
I opened it
#39
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: ברוך חזקיה
Sent: Tuesday, May 17, 2016 7:40 PM
To: 'wstrange/GoogleAuth'
Subject: RE: [wstrange/GoogleAuth] Strange results (#38)
Whhhoo great !!! 10x a lot. I'm opening it now…
Thanks,
Baruch
ברוך חזקיה | מנהל פרויקטים רוחביים CTO
מגדל טכנולוגיות, תחום מטה וCTO, CTO
טל. 076.8868882
baruch@migdal.co.ilmailto:baruch@migdal.co.il, migdal.co.il
מגדל חברה לביטוח בע''מ
From: Enrico Maria Crisostomo [mailto:notifications@github.com]
Sent: Tuesday, May 17, 2016 7:36 PM
To: wstrange/GoogleAuth
Cc: ברוך חזקיה; Mention
Subject: Re: [wstrange/GoogleAuth] Strange results (#38)
Another thing: if that's what you want, I suggest you open another issue asking for that feature to be published through the library API. It won't happen today, but it'd be quick.
—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHubhttps://github.com//issues/38#issuecomment-219776458
Glad to help, @baruchhiz. I guess this will be useful for other users too.