Google Authenticator Base32

[sinsi]

I've written some code to generate the so-called secret and authenticate properly but seem to be stuck at the base32 decode/encode step.

My understanding of the setup part is to get the user to enter their secret then the program generates a base32 encoded string from it - this is the string you enter in the app (because we aren't using a QR code).

To get the 6-digit PIN, the app (and my code) decode the secret, hash it with the number of 30-second intervals since Unix epoch, then use the hash to generate the 6 number code. If both app and my program have the correct secret, the numbers match and you're authenticated.

Because my code knows the secret before encoding, I know the code works properly. But I don't have an encode/decode routine (well, I have an encoder but it loooks nothing like the code I've found and only works if I reverse the secret, encode it, then reverse the result).

I can upload some code but it's 1. a mess, and 2. masm compatible but not masm32 compatible.

Any help appreciated.

[jj2007]

Sinsi,

It's not so clear what you need. Can you give a link to the documentation of this stuff?

I have an encoder but it loooks nothing like the code I've found

There are online base32 encoder/decoder tools - is that what you want to do programmatically?

[sinsi]

There are online base32 encoder/decoder tools - is that what you want to do programmatically?

That's it :)

You would normally get a QR code to scan with the app that has the secret (among other things) but you can also just type in the secret. Since the secret is just an array of bytes, Google encode it to make sure it's human-readable.

[Biterider]

base32 decode/encode

Hi sinsi
I have a base64 encoder/decoder. Switching to base32 is just a matter of making a few changes.
Is that what you need?

Biterider

[jj2007]

Re: uuencode base64 vs standard uu encoding (FORTRANS)
Base64 encoding and decoding (BiteRider)
Upload Data via POST (colinr)
Convert decimal to base 5? (Antariy)

stesla base32
inveniosoftware base32-lib doc

[sinsi]

OK, I got the decoder working OK but after looking into the Authenticator part of it, the security is abysmal.
I use a web interface to admin my linux box remotely and switched on 2FA using Google Authenticator.

The first thing I didn't like was that Google gets the information to create the QR code - this is everything.
No big deal, but do you trust Google? I sure don't 

The second thing, looking to see how secure it is, to start with it looked really good - nothing is sent between your device and the remote server, they both calculate a number and the server sees what number you type in. If they match, all OK.
But, the base32-encoded key is on the server, stored who knows where (and how).

My web admin stores the key, in plain text, in a file, along with the user name.
As a test I took that key, entered it as a new 2FA on my phone, et voila - the 6-digit code matches the original.

Searching for how different websites store the key wasn't very reassuring, it basically said that it's up to them how they do it, but hopefully they store it apart from user info (yeah, right ) and no breaches have been detected so far.