Package hotp implements the RFC 4226 OATH-HOTP algorithm; these passwords derived from the HMAC-SHA1 of an internal counter. They are presented as (typically) 6 or 8-digit numeric passphrases.
The package provides facilities for interacting with YubiKeys programmed in OATH-HOTP mode, as well as with the Google Authenticator application. The package also provides QR-code generation for new OTPs.
ErrInvalidHOTPURL is returned via FromURL; it indicates a malformed HOTP otpauth URL.
PRNG is the source of random data; this is used by GenerateHOTP and should be a cryptographically-secure PRNG.
Marshal serialises an HOTP key value as a DER-encoded byte slice.
HOTP represents a new key value for generating one-time passwords; it contains the key used to construct one-time passwords and the counter state used in the OTP generation. Digits contains the number of digits that generated OTPs should output. Key is a cryptographic secret, and should be treated as such.
FromURL parses a new HOTP from a URL string. It returns the OTP, the label associated with the OTP, and any errors that occurred.
GenerateHOTP will generate a randomised HOTP source; if the randCounter parameter is true, the counter will be randomised.
NewHOTP intialises a new HOTP instance with the key and counter values. No check is done on the digits, but typical values are 6 and 8.
Unmarshal parses a DER-encoded serialised HOTP key value.
Check takes an input code and verifies it against the OTP. If successful, the counter is incremented.
Counter returns the HOTP's 8-byte counter as an unsigned 64-bit integer.
Increment will increment an HOTP source's counter. This is useful for providers like the Google Authenticator app, which immediately increments the counter and uses the 0 counter value as an integrity check.
IntegrityCheck returns two values, the base OTP and the current counter. This is used, for example, with the Google Authenticator app's "Check key value" function and can be used to verify that the application and the provider are in sync.
OTP generates a new one-time password.
QR generates a byte slice containing the a QR code encoded as a PNG with level Q error correction.
Scan takes a code input (i.e. from the user), and scans ahead within a certain window of counter values. This can be used in the case where the server's counter and the user's counter have fallen out of sync.
URL returns a suitable URL, such as for the Google Authenticator app. The label is used by these apps to identify the service to which this OTP belongs. The digits value is ignored by the Google authenticator app, and is therefore elided in the resulting URL.
YubiKey reads an OATH-HOTP string as returned by a YubiKey, and returns three values. The first value contains the actual OTP, the second value contains the YubiKey's token identifier, and the final value indicates whether the input string was a valid YubiKey OTP. This does not check whether the code is correct or not, it only ensures that it is well-formed output from a token and splits the output into the code and the public identity.