Time-based One-Time Passwords (TOTP)

Defined in rfc6238, and used in Google Authenticator.

This module can only be used in the "authenticate" section.

The Base32-encoded secret should be placed into:

Any "bare" key should be placed into:

If TOTP.Key exists, then it will be used instead of TOTP.Secret.

The TOTP password entered by the user should be placed into:

The module will return ok if the passwords match, and fail if the passwords do not match.

The crypto algorithms are HmacSHA1, HmacSHA256 and HmacSHA512.

This module will NOT interact with Google. The module is intended to be used where the local administrator knows the TOTP secret key, and user has an authenticator app on their phone.

Also that while you can use the Google "chart" APIs to generate a QR code, doing this will give the secret to Google!

Administrators should instead install a tool such as "qrcode"

and then run that locally to get an image.

Configuration Settings

totp { … }
time_step: Default time step between time changes.
otp_length: Length of the one-time password.

Must be 6 or 8

lookback_steps: How many steps backward in time we look for a matching OTP.
lookback_interval: Time delta between steps.

Cannot be larger than time_step

Default Configuration

#	`&control.TOTP.Secret`
#	`&control.TOTP.Key`
#	`&request.TOTP.From-User`
#	https://linux.die.net/man/1/qrencode
totp {
	time_step = 30
	otp_length = 6
	lookback_steps = 1
	lookback_interval = 30
}