A ruby library for generating and validating one time passwords (HOTP & TOTP) according to RFC 4226 and RFC 6238.
ROTP is compatible with Google Authenticator available for Android and iPhone.
Many websites use this for multi-factor authentication, such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find a more complete list here.
- OpenSSL
- Ruby 2.0 or higher
- Simplified API
- Dropping support for Ruby < 2.0
- Docs for 3.x can be found here
gem install rotp --version 4.0.0.rc1totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
totp.now # => "492039"
# OTP verified for current time - returns timestamp of verification
totp.verify("492039") # => 1474590700
sleep 30
# OTP fails to verify - returns nil
totp.verify("492039") # => nilhotp = ROTP::HOTP.new("base32secretkey3232")
hotp.at(0) # => "260182"
hotp.at(1) # => "055283"
hotp.at(1401) # => "316439"
# OTP verified with a counter
hotp.verify("316439", 1401) # => 1401
hotp.verify("316439", 1402) # => nilBy keeping track of the last time a user's OTP was verified, we can prevent token reuse during the interval window (default 30 seconds)
The following is an example of this in action:
User.find(someUserID)
totp = ROTP::TOTP.new(user.otp_secret)
totp.now # => "492039"
user.last_otp_at # => 1432703530
# Verify the OTP
last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
# ROTP returns the timestamp(int) of the current period
# Store this on the user's account
user.update(last_otp_at: last_otp_at)
# Someone attempts to reused the OTP inside the 30s window
last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
# It fails to verify because we are still in the same 30s interval windowSome users may enter a code just after has expired. By adding 'drift' you can allow for a recently expired token to remain valid. Warning: there are security implications to allowing 'drift'
totp = ROTP::TOTP.new("base32secret3232")
now = Time.at(1474590600) #2016-09-23 00:30:00 UTC
totp.at(now) # => "250939"
# OTP verified for current time along with 15 seconds earlier
# ie. User enters a code just after it expired
totp.verify("250939", drift_behind: 15, at: now + 35) # => 1474590600
# User waits too long. Fails to validate previous OTP
totp.verify("250939", drift_behind: 15, at: now + 45) # => nilROTP::Base32.random_base32 # returns a 32 character base32 secret. Compatible with Google AuthenticatorNote: The Base32 format conforms to RFC 4648 Base32
Provisioning URI's generated by ROTP are compatible with most One Time Password applications, including Google Authenticator.
totp.provisioning_uri("[email protected]") # => 'otpauth://totp/issuer:[email protected]?secret=JBSWY3DPEHPK3PXP'
hotp.provisioning_uri("[email protected]", 0) # => 'otpauth://hotp/issuer:[email protected]?secret=JBSWY3DPEHPK3PXP&counter=0'This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
Scan the following barcode with your phone, using Google Authenticator
Now run the following and compare the output
require 'rubygems'
require 'rotp'
totp = ROTP::TOTP.new("JBSWY3DPEHPK3PXP")
p "Current OTP: #{totp.now}"bundle install
bundle exec rspecOnce the rotp rubygem is installed on your system, you should be able to run the rotp executable
(if not, you might find trouble-shooting help at this stackoverflow question).
# Try this to get an overview of the commands
rotp --help
# Examples
rotp --secret p4ssword # Generates a time-based one-time password
rotp --hmac --secret p4ssword --counter 42 # Generates a counter-based one-time passwordHave a look at the contributors graph on Github.
MIT Copyright (C) 2016 by Mark Percival, see LICENSE for details.
A list can be found at Wikipedia.