One-Time Password(OTP) is a password that is used for one login session on a user's device. OTPs can be delivered to users through text messages, authenticator apps, email, and more. It can be used as an additional layer of security for users to confirm their identities. PyOTP is a Python library that is used to generate and verify one-time passwords. It is used to implement MFA solutions in login systems. The purpose of this lab was to learn about how 2FA solutions are used in the real world.
- Python
- Authenticator App (Microsoft Authenticator)
I first installed the required libraries for this project. The required libraries for this project were, pyotp, qrcode, getpass and time.
pyotp: Generates and verifies one-time passwords.
qrcode: Creates a qrcode for user to scan with authenticator app.
getpass: Encrypts the password when user inputs it.
time: Creates a time based sequence for verification.
pip install pyotp
pip install qrcode
pip install getpass
pip install time
Then I imported the libraries in the first lines of this project.
import pyotp
import qrcode
import getpass
import time
key = pyotp.random_base32()
print(key)
I was able to generate a random secret key which was used for the next code. The secret key changes everytime the code is executed.
In this step, I entered the secret key which was generated from the previous code.
key = ''
totp = pyotp.TOTP(key)
I then created the username and issuer name which was displayed on the authenticator app.
uri = pyotp.totp.TOTP(key).provisioning_uri(name= "user", issuer_name= "Company" )
print(uri)
qrcode.make(uri)
I was able to create a provisioning URI and generate a QR code which was scanned with my mobile authenticator app. The provisioning URI is used to deliver a verification token to a new user or device.
As you can see from this image, the URI contains the following paremeters:
otpauth://: Specifies that this URI is for OTP authentication.
totp: Specifies that this verification is time-based.
issuer: The name of the application or service generating the token.
name: The name of the user.
secret: Random secret key used to generate a verification code.
I decided to use Microsoft Authenticator for this project. After scanning the QR code, a verification code popped up along with the username and issuer's name.
I entered the one-time code from Microsoft Authenticator after entering the username and password.
input_username = input('Enter username: ')
password = getpass.getpass("Enter password: ")
input_code = input("Enter verification code:")
totp.verify(input_code)
print(totp.verify(input_code))
time.sleep(30)This was the final result.
This is the result of entering an incorrect or expired verification code.
In this project, I developed my own MFA solution using Python and was able to get it to work with a mobile application. I learned more about the qrcode, getpass, and pyotp libraries and how they can be used in Python.
Adding an extra layer of security is a great way for individuals and comapnies to protect themselves from the possibilities of a data breach.