Home
Forums
New posts
Search forums
What's new
New posts
New resources
New profile posts
Latest activity
Resources
Latest reviews
Search resources
Members
Current visitors
New profile posts
Search profile posts
DMCA Policy
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
FEEL FREE TO SHARE TUTORIALS, YOUR SKILS & KNOWLEDGE ON CODING, SCRIPTS, THEMES, PLUGINS OR ANY RESOURCES YOU HAVE WITH THE COMMUNITY-
Click Here To Post Your Request,
JOIN COMPUTER REPAIR FORUM
Home
Forums
TUTORIALS
CODING TUTORIALS
Node.js
Two-Factor Authentication with Node.js
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="codeguru" data-source="post: 56" data-attributes="member: 2"><p><img src="https://davidwalsh.name/demo/2fa-google-auth-logo.png" alt="Google Authenticator" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>There are a variety of strategies for protecting your important online credentials. We often hear about password managers and generators, but for me, the more important strategy is using two-factor authentication (2FA). Passwords can be guessed, phone numbers can be spoofed, but using two-factor authentication essentially requires that user be in possession of a physical device with an app like Google Authenticator, loaded with a secret key for the given app, which provides an extra layer of security.</p><p></p><p>I didn’t use to take two-factor authentication seriously, until <a href="https://davidwalsh.name/freedavidwalshdotname" target="_blank">someone stole my domain name</a> and tried to launder it to a safe haven for thieved domains. While I don’t know how exactly they did it, I’m fairly certain they got access to my email address, created filters so I wouldn’t see the emails, etc. Had I used two-factor authentication, neither my email or GoDaddy accounts could have been accessed. Or you could take it from Cody Brown who had <a href="https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac" target="_blank">$8,000 in cryptocurrency stolen</a> in minutes because the vendor used phone number validation to allow transactions to be approved. Today I use two-factor authentication for all of my important email, work, and financial accounts.</p><p></p><p>Since I use 2FA so often, I wanted to see how the process is managed by a developer for its users. That would include generating the secret key, creating its QR code representation, scanning the code into Google Authenticator (done by the user), and then validating that GA-given code against the user’s key. I found an easy to use Node.js library, <a href="https://www.npmjs.com/package/speakeasy" target="_blank">speakeasy</a>, to do so!</p><p></p><h2>Setup Step 1: Generate a Secret Key</h2><p></p><p>Assuming you’ve installed speakeasy via [ICODE]npm install speakeasy[/ICODE], the two-factor authentication setup is kicked off by generating a unique secret key for the user:</p><p></p><p></p><p>var speakeasy = require('speakeasy');</p><p></p><p>var secret = speakeasy.generateSecret({length: 20});</p><p>console.log(secret.base32); // Save this value to your DB for the user</p><p></p><p>// Example: JFBVG4R7ORKHEZCFHZFW26L5F55SSP2Y</p><p></p><p></p><p>This secret key should be stored with the user’s record in your database, as it will be used as a reference to validate 2FA codes in the future.</p><p></p><h2>Setup Step 2: Generate a QR Image</h2><p></p><p>Apps like Google Authenticator allow users to scan a QR code or enter the text key. Scanning an image is much faster so offering the QR code will be of great convenience to your user:</p><p></p><p></p><p>var QRCode = require('qrcode');</p><p></p><p>QRCode.toDataURL(secret.otpauth_url, function(err, image_data) {</p><p> console.log(image_data); // A data URI for the QR code image</p><p>});</p><p></p><p></p><p>[ICODE]QRCode.toDataURL[/ICODE] provides an <a href="https://davidwalsh.name/convert-image-data-uri-javascript" target="_blank">image data URI</a> that you can use for the [ICODE]img[/ICODE] [ICODE]src[/ICODE] attribute. If you aren’t familiar with a QR code, it will look something like this:</p><p></p><p><img src="https://davidwalsh.name/demo/2fa-qr-code.png" alt="QR Code" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><h2>User Step 1: Scan the QR Code / Add Site to Authenticator</h2><p></p><p>At this point the user should have opened Google Authenticator (or Authy, etc.) and scanned the QR code; an entry for your web app will be added within the device’s app. From this point forward, whenever the user wants to log in (or perform any action you’d like to be protected), your system should recognize the user wants to use 2FA and you should require they enter the token from their app.</p><p></p><p><img src="https://davidwalsh.name/demo/2fa-google-auth.png" alt="Google Authenticator" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>For the purposes of debugging, you can get what should be the user code value at a given time via:</p><p></p><p></p><p>// Load the secret.base32 from their user record in database</p><p>var secret = ...</p><p></p><p>var token = speakeasy.totp({</p><p> secret: secret,</p><p> encoding: 'base32'</p><p>});</p><p></p><h2>User Step 2: Providing the Token / Validating the Token</h2><p></p><p>When your web app prompts the user for the current 2FA token, and the user provides a 6 digit token, the web app must validate that token:</p><p></p><p></p><p>// This is provided the by the user via form POST</p><p>var userToken = params.get('token');</p><p></p><p>// Load the secret.base32 from their user record in database</p><p>var secret = ...</p><p></p><p>// Verify that the user token matches what it should at this moment</p><p>var verified = speakeasy.totp.verify({</p><p> secret: secret,</p><p> encoding: 'base32',</p><p> token: userToken</p><p>});</p><p></p><p></p><p></p><p>If the token matches, the user can be trusted; if the token does not match, the web app should prompt the user to try again. Remember that Authenticator provides a new token every {x} seconds so an incorrect token shouldn’t immediately raise a red flag; the token may have simply expired by the time the user submitted the form.</p><p></p><h2>Live Demo</h2><p></p><p>The speakeasy developers have created a <a href="https://sedemo-mktb.rhcloud.com/" target="_blank">live speakeasy 2FA demo</a> for you to play with so that you can understand the steps involved from both a user and a developer perspective.</p><p></p><p>This post is only meant to be a brief, high level overview of implementing two-factor authentication — please read the <a href="https://github.com/speakeasyjs/speakeasy" target="_blank">speakeasy documentation</a> to get a more detailed explanation as well as learn about more specific 2FA options. In an ideal world, two-factor authentication would be enabled by default for most logins, however it can be confusing for the majority of web users (think of the very non-technical user), so I can understand why 2FA is considered an extra security measure for now. A big thanks to speakeasy’s developers for their easy to use Node.js library, awesome documentation, and simple demo!</p><p></p><p>The post <a href="https://davidwalsh.name/2fa" target="_blank">Two-Factor Authentication with Node.js</a> appeared first on <a href="https://davidwalsh.name" target="_blank">David Walsh Blog</a>.</p><p></p><p><a href="https://tkjs.us/dwb" target="_blank"><img src="https://davidwalsh.name/demo/tjs_block-1.svg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></a></p><p></p><p><a href="https://davidwalsh.name/2fa" target="_blank">Continue reading...</a></p></blockquote><p></p>
[QUOTE="codeguru, post: 56, member: 2"] [IMG alt="Google Authenticator"]https://davidwalsh.name/demo/2fa-google-auth-logo.png[/IMG] There are a variety of strategies for protecting your important online credentials. We often hear about password managers and generators, but for me, the more important strategy is using two-factor authentication (2FA). Passwords can be guessed, phone numbers can be spoofed, but using two-factor authentication essentially requires that user be in possession of a physical device with an app like Google Authenticator, loaded with a secret key for the given app, which provides an extra layer of security. I didn’t use to take two-factor authentication seriously, until [URL='https://davidwalsh.name/freedavidwalshdotname']someone stole my domain name[/URL] and tried to launder it to a safe haven for thieved domains. While I don’t know how exactly they did it, I’m fairly certain they got access to my email address, created filters so I wouldn’t see the emails, etc. Had I used two-factor authentication, neither my email or GoDaddy accounts could have been accessed. Or you could take it from Cody Brown who had [URL='https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac']$8,000 in cryptocurrency stolen[/URL] in minutes because the vendor used phone number validation to allow transactions to be approved. Today I use two-factor authentication for all of my important email, work, and financial accounts. Since I use 2FA so often, I wanted to see how the process is managed by a developer for its users. That would include generating the secret key, creating its QR code representation, scanning the code into Google Authenticator (done by the user), and then validating that GA-given code against the user’s key. I found an easy to use Node.js library, [URL='https://www.npmjs.com/package/speakeasy']speakeasy[/URL], to do so! [HEADING=1]Setup Step 1: Generate a Secret Key[/HEADING] Assuming you’ve installed speakeasy via [ICODE]npm install speakeasy[/ICODE], the two-factor authentication setup is kicked off by generating a unique secret key for the user: var speakeasy = require('speakeasy'); var secret = speakeasy.generateSecret({length: 20}); console.log(secret.base32); // Save this value to your DB for the user // Example: JFBVG4R7ORKHEZCFHZFW26L5F55SSP2Y This secret key should be stored with the user’s record in your database, as it will be used as a reference to validate 2FA codes in the future. [HEADING=1]Setup Step 2: Generate a QR Image[/HEADING] Apps like Google Authenticator allow users to scan a QR code or enter the text key. Scanning an image is much faster so offering the QR code will be of great convenience to your user: var QRCode = require('qrcode'); QRCode.toDataURL(secret.otpauth_url, function(err, image_data) { console.log(image_data); // A data URI for the QR code image }); [ICODE]QRCode.toDataURL[/ICODE] provides an [URL='https://davidwalsh.name/convert-image-data-uri-javascript']image data URI[/URL] that you can use for the [ICODE]img[/ICODE] [ICODE]src[/ICODE] attribute. If you aren’t familiar with a QR code, it will look something like this: [IMG alt="QR Code"]https://davidwalsh.name/demo/2fa-qr-code.png[/IMG] [HEADING=1]User Step 1: Scan the QR Code / Add Site to Authenticator[/HEADING] At this point the user should have opened Google Authenticator (or Authy, etc.) and scanned the QR code; an entry for your web app will be added within the device’s app. From this point forward, whenever the user wants to log in (or perform any action you’d like to be protected), your system should recognize the user wants to use 2FA and you should require they enter the token from their app. [IMG alt="Google Authenticator"]https://davidwalsh.name/demo/2fa-google-auth.png[/IMG] For the purposes of debugging, you can get what should be the user code value at a given time via: // Load the secret.base32 from their user record in database var secret = ... var token = speakeasy.totp({ secret: secret, encoding: 'base32' }); [HEADING=1]User Step 2: Providing the Token / Validating the Token[/HEADING] When your web app prompts the user for the current 2FA token, and the user provides a 6 digit token, the web app must validate that token: // This is provided the by the user via form POST var userToken = params.get('token'); // Load the secret.base32 from their user record in database var secret = ... // Verify that the user token matches what it should at this moment var verified = speakeasy.totp.verify({ secret: secret, encoding: 'base32', token: userToken }); If the token matches, the user can be trusted; if the token does not match, the web app should prompt the user to try again. Remember that Authenticator provides a new token every {x} seconds so an incorrect token shouldn’t immediately raise a red flag; the token may have simply expired by the time the user submitted the form. [HEADING=1]Live Demo[/HEADING] The speakeasy developers have created a [URL='https://sedemo-mktb.rhcloud.com/']live speakeasy 2FA demo[/URL] for you to play with so that you can understand the steps involved from both a user and a developer perspective. This post is only meant to be a brief, high level overview of implementing two-factor authentication — please read the [URL='https://github.com/speakeasyjs/speakeasy']speakeasy documentation[/URL] to get a more detailed explanation as well as learn about more specific 2FA options. In an ideal world, two-factor authentication would be enabled by default for most logins, however it can be confusing for the majority of web users (think of the very non-technical user), so I can understand why 2FA is considered an extra security measure for now. A big thanks to speakeasy’s developers for their easy to use Node.js library, awesome documentation, and simple demo! The post [URL='https://davidwalsh.name/2fa']Two-Factor Authentication with Node.js[/URL] appeared first on [URL='https://davidwalsh.name']David Walsh Blog[/URL]. [URL='https://tkjs.us/dwb'][IMG]https://davidwalsh.name/demo/tjs_block-1.svg[/IMG][/URL] [url="https://davidwalsh.name/2fa"]Continue reading...[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Richest Freecoded User
Most Freecoin
freecoded
4,846 Freecoin
Davy200
590 Freecoin
J
Johnhendrick
575 Freecoin
S
Smith16
527 Freecoin
nathan69
426 Freecoin
Laureine
415 Freecoin
A
anajeen
370 Freecoin
C
codeguru
287 Freecoin
Tekera
267 Freecoin
A
Akubay
170 Freecoin
Home
Forums
TUTORIALS
CODING TUTORIALS
Node.js
Two-Factor Authentication with Node.js
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
Accept
Learn more…
Top