General > Developers Corner

2FA Authentication for Garry's Mod

<< < (3/3)

Bytewave:

--- Quote from: iViscosity on October 18, 2016, 04:35:50 PM ---Sounds interesting enough... I could try and give it a shot.

I have a couple questions, though. If it shows a QR code and say they scan it with their phone, how would they be able to access it? Say if they used Google Authenticator, how can I set up a system with gmod to have the key match the key in that app to work? I'm pretty sure I can't set PData of a Steam ID (could be wrong) but even if I could, I'd need to set the PData to the same get as in the Authenticator, correct? If that's the case, my other questions stands, how can I get them to match?

--- End quote ---
Well, PData was an example, though for offline manipulation you might want to try /data/ or something similar.

Anyway, the OTP spec has ways of matching codes. Basically, you generate a secret key for a user, and give that to them on their app and store it locally on the server. The secret key as well as the current Unix time (+/- 15 seconds) are used to generate a (typically) 6 digit PIN, which is sent to the server where it is compared to a PIN generated in the same way. So, all you would have to do is store the secret key on the server, and use luaotp to verify.

edit: If you think servers aren't going to be synced up very accurately time-wise, you may wish to consider HOTP over TOTP, which uses an internal counter to generate PINs. However, this is easier to exploit.

iViscosity:
Haha, I have absolutely no clue where to start, to be honest. Is there any guide or tutorial on how to get started doing that? Also, it's not that I don't think they're be synced, I just don't know how to make them be synced :P

An Error Has Occurred!

array_keys(): Argument #1 ($array) must be of type array, null given

[0] Board index