otplib

Time-based (TOTP) and HMAC-based (HOTP) One-Time Password library

• API
• Changelog
• License

About

otplib is a JavaScript One Time Password (OTP) Library.

It was initially created for me to understand how One Time Passwords work in implementation.

It implements:

• RFC 4226 - HOTP
• RFC 6238 - TOTP

This library is compatible with Google Authenticator, and includes additional methods to allow you to easily work with Google Authenticator.

Installation

Install the module via npm

 $ npm install otplib

Usage

While this package is primarily a node.js module, a browser-based version which is compiled using browserify can be found in bin/otplib.js.

node.js

var otplib = require('otplib');

browser

<script src="bin/otplib.js"></script>

<script type="text/javascript">
   var otplib = require('otplib');
</script>

Quick Start

Token Generation

var otplib = require('otplib');

// Basic
var secret = otplib.core.secret.generate(); //'user secret'

// Generating OTP
var code = otplib.core.totp(secret);

console.log('OTP: ' + code);

Token Validation

var otplib = require('otplib');

// From database etc.
var secret = 'user secret',
    code = 'user provided OTP';

// True / False
var status = otplib.core.token.check(code, secret, 'totp');

console.log('Is Token Valid: ' + status);

Note on Google Authenticator

Base32 Keys

Google Authenticator requires keys to be base32 encoded.

RFC3548

Google Authenticator requires an RFC 3548 compliant encoder.

OTP calculation will still work should you want to use other base32 encoding methods (like Crockford's Base 32) but it will NOT be compatible with Google Authenticator.

Sample

var otplib = require('otplib');

var secret = otplib.google.secret(), //'base 32 encoded user secret'
    qrcode = otplib.google.qrcode('user@domain', 'service', secret);

var code = otplib.google.generate(secret);

console.log('OTP: ' + code);