TOTP holds informations as to how to generate an auth code and validate it. Its secret field is sensitive data, treat it accordingly
SHA-1 is the most widespread algorithm used, and for totp pursposes, SHA-1 hash collisions are not a problem as HMAC-SHA-1 is not impacted. It’s also the main one cited in rfc-6238 even though the reference implementation permits the use of SHA-1, SHA-256 and SHA-512.
Not all clients support other algorithms then SHA-1
The number of digits for the auth code.
Per rfc-4226, this can be in the range between 6 and 8 digits
Number of steps allowed as network delay.
One would mean one step before current step and one step after are valid.
The recommended value per rfc-6238 is 1. Anything more is sketchy and should not be used.
Duration in seconds of a step.
The recommended value per rfc-6238 is 30 seconds
As per rfc-4226 the secret should come from a strong source, most likely a CSPRNG.
It should be at least 128 bits, but 160 are recommended.
The account name, typically either an email address or username.
The “firstname.lastname@example.org” part of “Github:email@example.com”.
Must not contain a colon
The name of your service/website.
The “Github” part of “Github:firstname.lastname@example.org”.
Must not contain a colon
Create a new instance of TOTP with given parameters.
See the doc for reference as to how to choose those values.
digits: MUST be between 6 & 8
secret: Must have bitsize of at least 128
account_name: Must not contain
issuer: Must not contain
Sign the given timestamp
Generate a token given the provided timestamp in seconds
Returns the timestamp of the first second for the next step given the provided timestamp in seconds
Returns the timestamp of the first second of the next step According to system time
Give the ttl (in seconds) of the current token
Generate a token from the current system time
Check if token is valid given the provided timestamp in seconds, accounting skew
Check if token is valid by current system time, accounting skew.
Return the base32 representation of the secret, which might be useful when users want to manually add the secret to their authenticator.
Convert a base32 secret into a TOTP.
The account name is the empty string and the issuer is None; so you should set them explicitly after decoding the secret bytes.
Generate a TOTP from the standard otpauth URL
Generate a standard URL used to automatically add TOTP auths.
Usually used with a QR code.
Label and issuer will be URL-encoded; the secret will be converted to base32 without padding, as per the RFC.
Returns the argument unchanged.