Richard J. Prinz

Large service providers like Google are already offering two way authentication for their services. Others like Microsoft will follow. This authentication mechanism is based on One Time Passwords OTP combined with a timing factor resulting in Timebased One Time Passwords TOTP specified in RFC-6238.

But it’s also possible to provide two factor authentication for self written services. The provided package can be found in the following repositiory:

MCHttpRepository
	location: 'http://www.min.at/prinz/repo/totp'
	user: ''
	password: ''

It provides a simple way to create and validate TOTP’s for a given time or a time window.

" Enter the shared secret here. This is for example "
" the secret you will get if  you change your Gmail "
" account to two way authentication "
key := TOTP decodeBase32: 'qqmholtfsmddokpy'.
" Instantiate a new tokenprovider with a 30 seconds "
" time window "
tp := TOTP createWithSecret: key StepSeconds: 30.
" Calculates a new one time password which "
" changes every #StepSeconds seconds "
token := tp calculateOneTimePassword.
" Validate a token "
valid := TOTP verifyOneTimePassword: token Secret: key.

The larger the StepSeconds parameter the longer the generated tokens won’t change and the greater the time difference between client and server can be. The algorithm uses UTC for client and server times. 30 Seconds time step means that a new token is generated every 30 seconds and that a token is considered valid 30 seconds before and 30 seconds after the point in time it was created.

So change your Google account today and use Pharo to calculate the tokens.