Class Otp

java.lang.Object

com.codename1.security.Otp

public final class Otp
extends Object

Counter-based (HOTP, RFC 4226) and time-based (TOTP, RFC 6238) one-time password generators. Compatible with any standard authenticator app (Google Authenticator, Microsoft Authenticator, 1Password, etc.).

Generate a 6-digit Google-Authenticator-compatible code

byte[] secret = Base32.decode("JBSWY3DPEHPK3PXP"); // shared secret
String code = Otp.totp(secret); // default 6 digits, 30 second step,
                                // SHA-1, current time

Verify a code (allowing +/-1 step of clock skew)

boolean ok = Otp.verifyTotp(secret, userInput, 1);

Method Summary

Modifier and Type	Method	Description
static String	hotp(byte[] secret, long counter, int digits)	Generates an HOTP code (RFC 4226) using SHA-1 and the given digit count.
static String	hotp(byte[] secret, long counter, int digits, String hashAlgorithm)	Generates an HOTP code with a configurable hash algorithm.
static String	otpauthUri(String issuer, String accountName, byte[] secret)	Convenience overload using the typical 6 digits / 30 seconds / SHA-1 settings most authenticator apps expect.
static String	otpauthUri(String issuer, String accountName, byte[] secret, int digits, int stepSeconds, String hashAlgorithm)	Builds the canonical otpauth://totp/... URI that authenticator apps (Google Authenticator, Microsoft Authenticator, 1Password, Authy, ...) consume when the user scans a QR code on your enrolment screen.
static String	totp(byte[] secret)	Generates a TOTP code (RFC 6238) for the current system time, using SHA-1, 6 digits and a 30-second step.
static String	totp(byte[] secret, int digits, int stepSeconds)	Generates a TOTP code for the current system time with a custom digit count and step size.
static String	totp(byte[] secret, long currentTimeMillis, int stepSeconds, int digits, String hashAlgorithm)	Generates a TOTP code with full control over all parameters.
static boolean	verifyTotp(byte[] secret, String code, int tolerance)	Verifies a TOTP code, allowing tolerance steps of clock skew on either side of now (so a tolerance of 1 will accept the previous, current and next code).
static boolean	verifyTotp(byte[] secret, String code, int tolerance, long currentTimeMillis, int stepSeconds, int digits, String hashAlgorithm)	Verifies a TOTP code with full parameter control.

Methods inherited from class Object

clone, equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

hotp

public static String hotp(byte[] secret,
 long counter,
 int digits)

Generates an HOTP code (RFC 4226) using SHA-1 and the given digit count.

Parameters

• secret: the shared secret

• counter: the moving factor -- caller is responsible for incrementing it after every successful authentication

• digits: number of decimal digits in the output (typically 6, may be 6, 7 or 8)

hotp

public static String hotp(byte[] secret,
 long counter,
 int digits,
 String hashAlgorithm)

Generates an HOTP code with a configurable hash algorithm. Most authenticator apps assume SHA-1; only override if the issuer publishes a different algorithm parameter in its provisioning URI.

totp

public static String totp(byte[] secret)

Generates a TOTP code (RFC 6238) for the current system time, using SHA-1, 6 digits and a 30-second step.

totp

public static String totp(byte[] secret,
 int digits,
 int stepSeconds)

Generates a TOTP code for the current system time with a custom digit count and step size.

totp

public static String totp(byte[] secret,
 long currentTimeMillis,
 int stepSeconds,
 int digits,
 String hashAlgorithm)

Generates a TOTP code with full control over all parameters.

Parameters

• secret: shared secret

• currentTimeMillis: timestamp to derive the code from

• stepSeconds: window size -- 30 in the vast majority of deployments

• digits: number of decimal digits in the output (typically 6 or 8)

• hashAlgorithm: hash to use -- almost always Hash.SHA1

verifyTotp

public static boolean verifyTotp(byte[] secret,
 String code,
 int tolerance)

Verifies a TOTP code, allowing tolerance steps of clock skew on either side of now (so a tolerance of 1 will accept the previous, current and next code).

otpauthUri

public static String otpauthUri(String issuer,
 String accountName,
 byte[] secret,
 int digits,
 int stepSeconds,
 String hashAlgorithm)

Builds the canonical otpauth://totp/... URI that authenticator apps (Google Authenticator, Microsoft Authenticator, 1Password, Authy, ...) consume when the user scans a QR code on your enrolment screen. The format is documented at https://github.com/google/google-authenticator/wiki/Key-Uri-Format.

Render the returned string as a QR code (server-side render, or a QR-generation cn1lib) and show it to the user; they scan it, the authenticator stores secret against the issuer:accountName label, and from then on it produces six-digit codes that match [#totp(byte[])] on your side using the same secret.

Parameters

• issuer: the human-readable service name shown in the authenticator ("Acme Bank"). Must not contain a :.

• accountName: the user's identifier within your service ("alice@example.com"). Must not contain a :.

• secret: shared secret (the bytes you also pass to [#totp(byte[])]) -- encoded as Base32 in the URI per the spec.

• digits: number of digits in each code (typically 6).

• stepSeconds: time-step size, typically 30.

• hashAlgorithm: hash, typically Hash.SHA1 for authenticator compatibility. SHA-256 and SHA-512 are accepted but not all authenticator apps support them.

otpauthUri

public static String otpauthUri(String issuer,
 String accountName,
 byte[] secret)

Convenience overload using the typical 6 digits / 30 seconds / SHA-1 settings most authenticator apps expect.

verifyTotp

public static boolean verifyTotp(byte[] secret,
 String code,
 int tolerance,
 long currentTimeMillis,
 int stepSeconds,
 int digits,
 String hashAlgorithm)

Verifies a TOTP code with full parameter control.