Node One Time Password library

Simple to use, fast, and with zero dependencies. The Node One Time Password library is fully compliant with HOTP (counter based one time passwords) and TOTP (time based one time passwords). It can be used in conjunction with the Google Authenticator which has free apps for iOS, Android and BlackBerry.

Installation

npm install notp

Usage

var notp = require('notp');

//.... some initial login code, that receives the user details and TOTP / HOTP token

var key = 'secret key for user... could be stored in DB';
var token = 'user supplied one time use token';

// Check TOTP is correct (HOTP if hotp pass type)
var login = notp.totp.verify(token, key);

// invalid token if login is null
if (!login) {
    return console.log('Token invalid');
}

// valid token
console.log('Token valid, sync value is %s', login.delta);

Google Authenticator

Google authenticator requires that keys be base32 encoded before being used. This includes manual entry into the app as well as preparing a QR code URI.

To base32 encode a utf8 key you can use the thirty-two module.

var base32 = require('thirty-two');

var key = 'secret key for the user';

// encoded will be the secret key, base32 encoded
var encoded = base32.encode(key);

// Google authenticator doesn't like equal signs
var encodedForGoogle = encoded.toString().replace(/=/g,'');

// to create a URI for a qr code (change totp to hotp if using hotp)
var uri = 'otpauth://totp/somelabel?secret=' + encodedForGoogle;

Note: If your label has spaces or other invalid uri characters you will need to encode it accordingly using encodeURIComponent More details about the uri key format can be found on the google auth wiki

API

hotp.verify(token, key, opt)

Check a counter based one time password for validity.

Returns null if token is not valid for given key and options.

Returns an object {delta: #} if the token is valid. delta is the count skew between client and server.

opt

window

The allowable margin for the counter. The function will check window codes in the future against the provided token. i.e. if window = 100 and counter = 5 all tokens between 5 and 105 will be checked against the supplied token Default - 50

counter

Counter value. This should be stored by the application on a per user basis. It is up to the application to track and increment this value as needed. It is also up to the application to increment this value if there is a skew between the client and server (delta)

totp.verify(token, key, opt)

Check a time based one time password for validity

Returns null if token is not valid for given key and options.

Returns an object {delta: #} if the token is valid. delta is the count skew between client and server.

opt

window

The allowable margin for the counter. The function will check window codes in the future against the provided token. i.e. if window = 5 and counter = 1000 all tokens between 995 and 1005 will be checked against the supplied token Default - 6

time

The time step of the counter. This must be the same for every request and is used to calculate C. Default - 30

hotp.gen(key, opt)

Return a counter based one time password

opt

counter

Counter value. This should be stored by the application, must be user specific, and be incremented for each request.

totp.gen(key, opt)

Return a time based one time password

opt

time

The time step of the counter. This must be the same for every request and is used to calculate C. Default - 30

Migrating from 1.x to 2.x

Removed

The encBase32 and decBase32 methods have been removed. If you wish to encode/decode base32 you should install a module to do so. We recommend the thirty-two npm module.

Changed

All of the APIs have been changed to return values directly instead of using callbacks. This reflects the fact that the functions are actually synchronous and perform no I/O.

Some of the required arguments to the functions have also been removed from the args parameter and are passed as separate function parameters. See the above API docs for details.

notp.checkHOTP(args, err, cb) -> notp.hotp.verify(token, key, opt)
notp.checkTOTP(args, err, cb) -> notp.totp.verify(token, key, opt)
notp.getHOTP(args, err, cb) -> notp.gotp.gen(key, opt)
notp.getTOTP(args, err, cb) -> notp.totp.gen(key, opt)

Args

The argument names have also changed to better describe the purpose of the argument.

K -> no longer in args/opt but passed directly as a function argument
P -> no longer in args/opt but passed directly as a function argument
W -> window
C -> counter
T -> time

Project Name	Stars	Repos Using This	Packages Using This	Most Recent Commit	Total Releases	Latest Release	Open Issues	License	Language
Aegis	6,226			2 days ago			69	gpl-3.0	Java
A free, secure and open source app for Android to manage your 2-step verification tokens.
Speakeasy	2,633	545	232	15 days ago	7	January 27, 2016	64	mit	JavaScript
NOT MAINTAINED Two-factor authentication for Node.js. One-time passcode generator (HOTP/TOTP) with support for Google Authenticator.
Authenticatorpro	1,726			2 days ago			56	gpl-3.0	C#
📱 Two-Factor Authentication (2FA) client for Android + Wear OS
Google Authenticator Libpam	1,584			7 days ago	1	March 03, 2021	60	apache-2.0	C

Otplib	1,558	172	243	9 months ago	55	January 24, 2020	78	mit	TypeScript
:key: One Time Password (OTP) / 2FA for Node.js and Browser - Supports HOTP, TOTP and Google Authenticator
Rotp	1,524	2,527	63	a month ago	38	December 13, 2022	3	mit	Ruby
Ruby One Time Password library
Googleauth	960	68	14	a year ago	16	April 04, 2020	11	bsd-3-clause	Java
Google Authenticator Server side code
Otpauth	663	11	21	20 hours ago	89	November 10, 2022	6	mit	JavaScript
One Time Password (HOTP/TOTP) library for Node.js, Deno, Bun and browsers.
Notp	662	169	65	4 months ago	5	October 14, 2014	22	mit	JavaScript
Node One Time Password library, supports HOTP, TOTP and works with Google Authenticator
Auth	587			7 days ago			27	gpl-3.0	Dart
ente Auth – store your 2FA secrets

Notp