Subscribe via RSS
Toggle Submenu
  1. Categories
  2. Recent
  3. Tags
View Replies (1)

Resolved 2FA

  1. How-to
0
Votes
Undo
  1. Sim Joo Pee
    Sim Joo Pee
  2. PowerServer
  3. Thursday, 13 July 2023 08:10 AM UTC

Hi Master,

  I have looked thru the 2FA codes shared by Bruce earlier. And now i have questions, I use the goggle authenticator, when i use the same secret key on different userid,  i can use any of the generated TOTP. Looks like they are the same TOTP.  I know that i can change the secret key to distinguish it. But, what is the best practices on the secret key? Let the user simply enter the secret key that they liked? or is there a way that we can control on the secret key, maybe auto generated?? and what if user forgot the last secret key enter?

But, when i refer to this link https://community.appeon.com/index.php/articles-blogs/tutorials-articles/2-powerbuilder/242-two-factor-authentication-using-powerbuilder#!kmt-start=10   under high level overview. There are this statement(see below in red), it confused me, so, the secret key is fix/static for the c/s application? cannot be changed?

"....................  Your application would not show the secret key to the user, it's only shown in the sample app so you can try different values.

Second question, after the QR code generated, next is to register to goggle authenticator, it seemed, for c/s application, user only need to do once to register the app, and from there onward , just need to enter user id password and TOTP, isnt it? If yes, then, what will happen if user generate qr code and register again, in the next login? I would assume, goggle authenticator does not allow that? I tried, and it seemed, not allow to overwrite the existing one. However, user can delete the account and scan the qr code again. So, this is not secure anymore, isnt it? 

Lastly, i am using the sample code from https://community.appeon.com/index.php/articles-blogs/tutorials-articles/2-powerbuilder/242-two-factor-authentication-using-powerbuilder#!kmt-start=10

And guess what, i didnt modified Bruce codes,  initially when i run it, i got the token matching w the authenticator. After several hours, i tried run the app again, it gave me different token. Why is like that?

 

Please advice.

Thank you.

Power Server Debug Project
Deploying build in PowerServer 2022 trial version
Responses (1)
Bruce Armstrong
Bruce Armstrong Accepted Answer Pending Moderation
  1. Thursday, 20 July 2023 20:39 PM UTC
  2. PowerServer
  3. # 1

The TOTPs are based entirely on the secret key and the current time (or more technically, the current 30 second window), so yes for the same secret key and different users you would get the same values at the same time.  However you don't have to give different users the same key.  You could generate the key randomly when registering the user and then store the key you gave them in your user table.  Or you might take a single key you use for the application and then encrypt it using user id info so that a unique value is derived for each user and can be re-derived at authentication time.  That way you wouldn't store the key in the user table because you can derive it from other info.  You wouldn't have the user enter one though.  As I noted, the only reason you can do that in the sample app I created was so that you could experiment with it easily.

You can't re-register the same user id with the same app in Google Authenticator, but you can delete it and re-register it.  I'm not sure why you would consider that insecure.

If you run the app again within 30 seconds it should give you a different number.  That's the premise of "temporary" in temporary one time passwords.  The password is only good for 30 seconds and then it has to be re-generated.  If you watch Google authenticator you will see a timer next to a TOTP it generates that indicates how long the password is good for.  After 30 seconds it will generate another one, and you have another 30 seconds to use that one.

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.