...

12 Oct Two-Factor Authentication in Go: How and Why

Posted at 23:58h in Go Tutorials, Library Showcase, Security by

Securing user accounts is a must, and providing the features the user might need for some extra security can be a pain.

However, in this article I will show you how adding two factor authentification to your website or app, is actually easy.

What types of two-factor authentication are there?

One of the most popular methods for adding two-factor authentication is through a Time-Based One-Time Password (TOTP).

While TOTP isn’t without its drawbacks (we’ll dive into those in a future post), it strikes a great balance between enhanced security and ease of use. It adds an extra layer of protection without overwhelming users or complicating your app too much.

TOTP is both user-friendly and reliable, making it an effective choice for boosting security with minimal hassle.

While there are several methods to implement two-factor authentication, such as SMS codes, we will not be discussing them today.

Why?

Depending on the type of app you’re building, your users may be more susceptible to phishing attacks.

By adding two-factor authentication to their accounts, you can help prevent attackers from taking control. Even if they manage to steal a user’s credentials, they’ll still need the TOTP code—usually stored securely on the user’s phone in their preferred authentication app

Now, the big question: how do we implement this in Go?

The best approach is to use a well-tested library that has already handled the potential pitfalls of implementing the algorithm.

The library we’ll explore today is built on RFC 6238.

I recommend using MrTuNNe/GoTOTP (github.com) , as it provides everything you need to get started with TOTP implementation.

Let’s begin by installing the library into your project.

Bash
go get github.com/MrTuNNe/GoTOTP

To integrate this into your project, you will need to generate a secret key for users who wish to add two-factor authentication to their accounts.

Go
secret, err := GoTOTP.GenerateRandomSecret(32) // 32 bytes length if err != nil {   // handle the error how do you want. }

Securely store the secret key in your database, ensuring each key is generated as a base32 string and is unique to an individual user, without reuse across multiple users.

Next, begin the process of verifying the TOTP code supplied by the user by creating a TOTP instance.

Go
  totp := GoTOTP.TOTP{       Key:      "OK6ZZOALZY6RNZBPM4QKD2ZFO5F3PTP56VIAXLDJLEHBPLJJIZNQ",       Issuer:   "mrtunne.info",        UserName: "[email protected]",  }

To verify the validity of the code provided by the user, you should proceed as follows:

Go
if totp.Verify("149425") {   // this code is valid go to the next step with your code } else {   //this code is not valid so do whatever you want with the poor guy }

The library provides additional functions that may be of interest; you are encouraged to explore these at your leisure.

Following this brief tutorial, you now have the capability to enhance your app’s security by integrating TOTP for your users.

Let me know if you ended up using this library 🙂

Tags:
Print page
0 Likes
No Comments

Post A Comment

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.