This document discusses two-factor authentication using time-based one-time passwords (TOTP). It provides information on TOTP implementations in Ruby and iOS, the URI format for TOTP secret keys, and how to generate and verify TOTP codes using the mdp/rotp Ruby gem. It also mentions using a mobile app like IIJ SmartKey for TOTP instead of SMS-based codes and includes API details for sending notifications with IIJ SmartKey.

1. Ruby TOTP

2. • Ruby
• IIJ SmartKey *1
iOS
*1
"IIJ SmartKey ". h1p://
www.iij.ad.jp/smartkey/

3. iOS D !
• D
• h$p://hioki-daichi.jp/passwordd.html
•
• h$ps://github.com/hioki-daichi/
passwordd

6. otpauth://totp/
github.com/hioki-daichi
?issuer=GitHub
&secret=njjlrjgljcebmj6l

7. otpauth://totp/
github.com/hioki-daichi
?issuer=GitHub
&secret=njjlrjgljcebmj6l

8. njjlrjgljcebmj6l
! 165853
" 372144
# 770782
...

9. Ruby ✨

10. hmac = OpenSSL::HMAC.digest(
OpenSSL::Digest.new('sha1'),
Base32.decode('NJJLRJGLJCEBMJ6L'),
[Time.now.to_i / 30].pack('N*').rjust(8, 0.chr)
)
#=> "nxEAxD6xBFxFBxA1xA6xB2x128
# x1AxB0x8Dx1DRxD4x8FxE6xD5xAE"
hmac.unpack('[H*]').pop
#=> "6eead6bffba1a6b212381ab08d1d52d48fe6d5ae"
-------------------------------------------------------------
|6e|ea|d6|bf|fb|a1|a6|b2|12|38|1a|b0|8d|1d|52|d4|8f|e6|d5|ae|
------------------------------------------------------------|

11. offset = hmac[-1].ord & 0xf
code = (hmac[offset ].ord & 0x7f) << 24 |
(hmac[offset + 1].ord & 0xff) << 16 |
(hmac[offset + 2].ord & 0xff) << 8 |
(hmac[offset + 3].ord & 0xff)
(code % 10 ** 6).to_s.rjust(6, '0')
#=> "662182"
-------------------------------------------------------------
|6e|ea|d6|bf|fb|a1|a6|b2|12|38|1a|b0|8d|1d|52|d4|8f|e6|d5|ae|
-------------------------------------------***********----++|
0xae & 0xf #=> 14
0x52d48fe6 #=> 1389662182
~~~~~~

12. otpauth://totp/
github.com/hioki-daichi
?issuer=GitHub
&secret=njjlrjgljcebmj6l

13. otpauth://totp/
github.com/hioki-daichi
?issuer=GitHub
&secret=njjlrjgljcebmj6l
&algorithm=SHA256
&digits=8
&period=10

14. Key Uri Format*2
*2
"Key Uri Format · google/google-authen8cator Wiki". GitHub. h@ps://github.com/google/google-authen8cator/
wiki/Key-Uri-Format

15. Type
REQUIRED
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• totp / hotp

16. Label
REQUIRED
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• secret
• "#{issuer}:#{accountname}" !

17. Secret
REQUIRED
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=A
CME%20Co&algorithm=SHA1&digits=6&period=30
• 128 160
• Base32 stesla/base32*3
*3
"stesla/base32: A library which provides base32 decoding and encoding.".GitHub. h?ps://github.com/stesla/base32

18. Issuer
STRONGLY RECOMMENDED
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• Label
• Label Parameters !

19. Algorithm
OPTIONAL
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• SHA1 (Default) / SHA256 / SHA512

20. Digits
OPTIONAL
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• 6 (Default) / 8
• 6 10 ** 6

21. Period
OPTIONAL
otpauth://totp/ACME%20Co:john.doe@email.com?
secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=AC
ME%20Co&algorithm=SHA1&digits=6&period=30
• 30

22. HOTP
OTP
!

23. Gem !

24. mdp/rotp*4
totp = ROTP::TOTP.new(
"BASE32SECRET3232",
interval: 60, issuer: "ACME Co",
digits: 8, digest: "sha256"
)
#=> #<ROTP::TOTP:0x007fde9244c028
# @interval=60, @issuer="ACME Co",
# @digits=8, @digest="sha256",
# @secret="BASE32SECRET3232">
*4
"mdp/rotp: Ruby One Time Password library".GitHub h?ps://github.com/mdp/rotp

25. mdp/rotp*4
totp.now
#=> "24430035"
totp.provisioning_uri("john.doe@email.com")
#=> "otpauth://totp/
# ACME%20Co:john.doe@email.com
# ?secret=BASE32SECRET3232
# &period=60
# &issuer=ACME+Co&digits=8"
*4
"mdp/rotp: Ruby One Time Password library".GitHub h?ps://github.com/mdp/rotp

26. mdp/rotp*4
totp.verify("24430035")
#=> false
totp.verify_with_drift("24430035", 10)
#=> true
*4
"mdp/rotp: Ruby One Time Password library".GitHub h?ps://github.com/mdp/rotp

27. TOTP

28. !
•
• e.g. SMS

33. SMS

37. QR !
QR
• UI

39. !
( )
• ( )

40. !
secret
• SecureRandom

41. IIJ SmartKey *5
*5
"IIJ SmartKey ". h1p://www.iij.ad.jp/biz/smartkey-m/

43. ②
$ curl $API_ENDPOINT/apps/$APP_ID/accounts/$ACCOUNT_ID/notifications
-X POST
-H 'Content-Type: application/json'
-H 'X-Iij-Smart-Key-Api-Key: $API_KEY'
-d '{
"title":"GitHub ",
"message":"GitHub ",
"push_notification_title":" ",
"push_notification_message":" "
}'

44. ⑥
$ curl $API_ENDPOINT/apps/$APP_ID/accounts/$ACCOUNT_ID/notifications
...
{
"key":"b89609af119c3a94fb05b60c15bb8807",
"account_code":"728f190fa43069c449411ecef22b550cd0a1edbf",
"title":"GitHub ",
"message":"GitHub ",
"status":"verified",
"notified_at":"2016-06-16T00:00:00.000+09:00"
}

45. • RFC6238
• TOTP: Time-Based One-Time Password Algorithm
• h?ps://tools.ieC.org/html/rfc6238
• RFC4226
• HOTP: An HMAC-Based One-Time Password Algorithm
• h?ps://tools.ieC.org/html/rfc4226
• RFC2104
• HMAC: Keyed-Hashing for Message AuthenNcaNon
• h?ps://tools.ieC.org/html/rfc2104
• RFC4648
• The Base16, Base32, and Base64 Data Encodings
• h?ps://tools.ieC.org/html/rfc4648