Home > Mobile >  Prevent pin reuse in google authenticator
Prevent pin reuse in google authenticator

Time:08-25

I'm using google authenticator in c#, ran into an issue where it lets me use the same pin even after it has expired. This actually makes sense, as all its doing is encrypting a string, then the user scans the qr code, and the phone app generates a pin to decrypt the string. If I use the same encryption key every time, then any previously generated pin will still decrypt this. Is there any way to make the c# code force a new pin? I suppose unless I store all previously used pins, there is now way for the google dll to know whether its a new pin. I don't want to make the user scan the qr code every time, just enter the generated pin.

Thanks

CodePudding user response:

There is no encryption or decryption. "Google authenticator" is just totp, with an identity and secret encoded in a url, presented in a QR code.

Totp is not a one-time-use code, it's a code that is valid for a period of time. Relying on both parties to agree on the current time and a secret.

The implementation is just a hash of a secret and the current time rounded to the nearest 30 seconds.

The server implementation may also allow for clock drift, checking the previous / next N codes as well.

  • Related