undefined | Better HN

0 pointsblippage4y ago0 comments

So, my understanding so far is that Github (or anyone, in general) will provide a private key consisting of 24 alphanum chars. Github also has a copy of the key.

To authenticate, a password is generated based on the private key, which acts as a seed. That seed is combined with a timestamp in order to generate a password, which has an expiry time of about 1 minute. The algorithm that generates the password is a standard one, so once you know the algorithm, you can generate valid passwords.

Linux provides "oathtool", which is suitable for such a purpose.

Is my understanding correct on this?

0 comments

1 comments · 1 top-level

jwilk4y ago

> private key

It's a "shared secret". ("private key" implies only one party knows it.)

> 24 alphanum chars

Hmm, https://datatracker.ietf.org/doc/html/rfc4226#section-4 says the key "MUST be at least 128 bits", meaning at least 26 (base-32) chars.

My current TOTP secret (generated in 2018) for GitHub is only 20 chars. :-/

> Is my understanding correct on this?

Yes.

j / k navigate · click thread line to collapse