Implementing 2FA with TOTP (Time-Based One-Time Passwords) in Java

Home » #Technology » Implementing 2FA with TOTP (Time-Based One-Time Passwords) in Java

Two-Factor Authentication (2FA) with Time-Based One-Time Passwords (TOTP) adds an extra layer of security to web applications. Building on my 18+ years of expertise in the tech corporate world, I have consistently delivered innovative multiple solutions to requirements and led teams to enhance organizational tech performance. Drawing on this expertise, In this tech concept, I’ll walks you through implementing TOTP in Java, covering everything from generating QR codes for setup to validating TOTP codes during user authentication.

What is TOTP? (let’s revisit)

TOTP is an algorithm that generates a one-time password based on the current time and a shared secret key. Popular apps like Google Authenticator or Authy use this to provide a secure and convenient 2FA mechanism.

Prerequisites

To implement TOTP in Java, you’ll need:

Java Development Kit (JDK) (at least version 8).
Libraries for handling TOTP and QR codes, such as:
- Google Authenticator-compatible libraries like com.eatthepath:otp-java.
- QR code generation libraries like zxing.
A basic understanding of Java servlets or frameworks like Spring Boot for integration.

Steps to Implement TOTP in Java

1. Generate a Secret Key

The secret key is shared between your application and the user’s authenticator app. Use the otp-java library to generate this key.

import com.eatthepath.otp.HmacOneTimePasswordGenerator;

import java.security.SecureRandom;
import java.util.Base64;

public class TOTPGenerator {
    public static String generateSecretKey() {
        SecureRandom random = new SecureRandom();
        byte[] secretKey = new byte[20];
        random.nextBytes(secretKey);
        return Base64.getEncoder().encodeToString(secretKey);
    }

    public static void main(String[] args) {
        String secretKey = generateSecretKey();
        System.out.println("Generated Secret Key: " + secretKey);
    }
}

2. Generate a QR Code

The QR code allows users to add the secret key to their TOTP app easily. The URL format follows the otpauth://totp/Label structure. Use the zxing library for QR code generation.

import com.google.zxing.BarcodeFormat;
import com.google.zxing.WriterException;
import com.google.zxing.client.j2se.MatrixToImageWriter;
import com.google.zxing.common.BitMatrix;
import com.google.zxing.qrcode.QRCodeWriter;

import java.io.File;
import java.io.IOException;

public class QRCodeGenerator {
    public static void generateQRCode(String totpUrl, String filePath) throws WriterException, IOException {
        QRCodeWriter qrCodeWriter = new QRCodeWriter();
        BitMatrix bitMatrix = qrCodeWriter.encode(totpUrl, BarcodeFormat.QR_CODE, 300, 300);
        MatrixToImageWriter.writeToPath(bitMatrix, "PNG", new File(filePath).toPath());
    }

    public static void main(String[] args) throws WriterException, IOException {
        String secretKey = "YOUR_GENERATED_SECRET_KEY";
        String accountName = "[email protected]";
        String issuer = "MyApp";

        String totpUrl = String.format(
                "otpauth://totp/%s:%s?secret=%s&issuer=%s",
                issuer, accountName, secretKey, issuer
        );

        generateQRCode(totpUrl, "totp-qr.png");
        System.out.println("QR Code generated at totp-qr.png");
    }
}

3. Validate the TOTP Code

To validate the TOTP code during login, use the otp-java library to generate the expected TOTP and compare it to the user input.

import com.eatthepath.otp.HmacOneTimePasswordGenerator;

import java.time.Instant;
import java.util.Base64;

public class TOTPValidator {
    public static boolean validateTOTP(String secretKey, int userCode) throws Exception {
        byte[] decodedKey = Base64.getDecoder().decode(secretKey);
        HmacOneTimePasswordGenerator otpGenerator = new HmacOneTimePasswordGenerator();
        long currentInterval = Instant.now().getEpochSecond() / 30;

        int generatedCode = otpGenerator.generateOneTimePassword(decodedKey, currentInterval);
        return generatedCode == userCode;
    }

    public static void main(String[] args) throws Exception {
        String secretKey = "YOUR_GENERATED_SECRET_KEY";
        int userCode = 123456; // Code entered by the user

        if (validateTOTP(secretKey, userCode)) {
            System.out.println("Code is valid!");
        } else {
            System.out.println("Invalid code.");
        }
    }
}

Best Practices for TOTP Implementation

Store the Secret Key Securely: Use encryption or secure key stores to prevent unauthorized access.
Handle Clock Drift: Allow for a small margin (e.g., ±1 time interval) to account for time differences between the server and client device.
Rate Limiting: Limit the number of TOTP validation attempts to prevent brute force attacks.

Example Workflow for 2FA

Setup:
- Generate a secret key.
- Display the QR code for the user to scan.
User Authentication:
- Validate the TOTP code during login by comparing it with the generated code.
Fallback Mechanisms:
- Provide backup codes or an alternate recovery option for cases where users lose access to their TOTP app.

Conclusion

My Tech Advice: User Data is the foundation of every application, and 2FA plays a pivotal role in securing it in today’s tech development era. Implementing TOTP-based 2FA in Java enhances the security of your application, safeguarding user accounts against unauthorized access. By following this guide, you can seamlessly integrate 2FA into your authentication flow, offering users a robust layer of protection.
#AskDushyant

Note: The example and pseudo code is for illustration only. You must modify and experiment with the concept to meet your specific needs.

#TechConcept #TechAdvice #Authentication #2FA #TwoFactorAuthentication #TOTP