TOTP اور HOTP
TOTP (وقت پر مبنی ون ٹائم پاسورڈ، RFC 6238) اور HOTP (HMAC پر مبنی ون ٹائم پاسورڈ، RFC 4226) دو RFC ہیں جنہیں ہر 2FA اندراج QR نافذ کرتا ہے۔ انکوڈ شدہ otpauth:// URI اسکیم Google Authenticator کا عملی معیار ہے, ہر بڑی تصدیقی ایپ میں مستعمل۔
TOTP خصوصیات:RFC 6238 (time-based, 2011).
HOTP خصوصیات:RFC 4226 (counter-based, 2005).
URI اسکیم:Google Authenticator Key URI Format, the format every authenticator agrees on.
HOTP خصوصیات:RFC 4226 (counter-based, 2005).
URI اسکیم:Google Authenticator Key URI Format, the format every authenticator agrees on.
یہ کیا ہے
2FA اندراج QR ایک URL ہے otpauth:// اسکیم میں جو مشترکہ راز اور شناختی میٹا ڈیٹا رکھتا ہے۔ فارمیٹ:
otpauth://TYPE/LABEL?secret=SECRET&issuer=ISSUER&algorithm=ALG&digits=N&period=SEC- TYPE,
totp(time-based) orhotp(counter-based). - LABEL,
Issuer:Account, URL-encoded. Example:GitHub:alice@example.com. - secret, the shared key, Base32-encoded (RFC 4648 §6 alphabet: A-Z, 2-7).
- issuer, the service name, shown in the authenticator app. Redundant with the label but improves UX on apps that don't parse the label.
- algorithm,
SHA1(default),SHA256, orSHA512. Every authenticator supports SHA1; fewer support SHA256/SHA512. - digits,
6(default) or8. Most consumer apps expect 6. - period, TOTP only.
30(default) or60seconds. HOTP has acounterparameter instead.
معیاری ٹیسٹ ویکٹرز
| Case | Inputs | Expected otpauth:// URI |
|---|---|---|
| TOTP, minimal (SHA1, 6 digits, 30 s) | issuer=GitHub | otpauth://totp/GitHub:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=GitHub |
| TOTP, SHA256, 8 digits | issuer=Corp | otpauth://totp/Corp:bob?secret=JBSWY3DPEHPK3PXP&issuer=Corp&algorithm=SHA256&digits=8 |
| HOTP, counter=0 | issuer=YubiKey | otpauth://hotp/YubiKey:carol?secret=JBSWY3DPEHPK3PXP&issuer=YubiKey&counter=0 |
| TOTP, RFC 6238 reference secret | issuer=Example | Standard RFC test secret (12345678901234567890). Produces TOTP 94287082 at T=59 s. |
لائیو Base32 راز تصدیق کار
تصدیقی ایپس Base32 حروف تہجی (A-Z، 2-7) سے باہر کچھ بھی ہونے پر رازوں کو مسترد کر دیتی ہیں۔ نیچے وہی تصدیق کار ہے جو Abundera TOTP جنریٹر کے اندر چلاتی ہے, آپ کے براؤزر میں۔
تصدیق کے لیے ایک راز داخل کریں۔
عام غلطیاں
- Base32 is not Base64. Base64 uses A-Z, a-z, 0-9, +, /, any of those lowercase letters or digits 0, 1, 8, 9 in your secret means you were handed a Base64 string and it'll be rejected by every authenticator.
- Secret length. RFC 4226 §4 recommends at least 128 bits (26 Base32 chars) for HOTP and 160 bits (32 chars) for TOTP. Secrets under 80 bits (16 chars) are technically legal but flagged weak.
- Algorithm support varies. Google Authenticator ignores the
algorithmparameter and always uses SHA1. For SHA256/SHA512 to actually take effect, your users must be on 1Password, Authy, Bitwarden, or Microsoft Authenticator. - Digits support varies. Most authenticators ignore
digits=8and silently truncate to 6. If 8-digit OTPs matter (banking, some government apps), test your target authenticator before rolling out. - URL-encode the label. Special characters in issuer or account (
:,@, space) must be percent-encoded in the label, or older authenticators drop the label entirely. Abundera handles this automatically. - Never reuse secrets. Every account gets a fresh cryptographically-random secret. Reusing a secret across services means a compromise at one breaks all of them.
- Storage matters more than the QR. The QR is a one-time bootstrap. The authenticator app stores the secret after the first scan. If that secret is later exported in plain text (some authenticators do this), one disk leak = every 2FA compromised.
تصدیقی ایپ مطابقت
| App | TOTP SHA1 | TOTP SHA256/512 | HOTP | 8-digit | Notes |
|---|---|---|---|---|---|
| Google Authenticator | Yes | Ignored | Yes | Ignored | The de facto baseline. Always targets this first. |
| 1Password | Yes | Yes | Yes | Yes | Full RFC support. |
| Authy | Yes | Yes | No | Yes | Drops HOTP in newer versions. |
| Bitwarden | Yes | Yes | Yes | Yes | Full RFC support. |
| Microsoft Authenticator | Yes | Yes | Yes | Yes | Full RFC support. |
| YubiKey Authenticator | Yes | Yes | Yes | Yes | HOTP is the canonical YubiKey mode. |
| Duo Mobile | Yes | Ignored | No | Ignored | Uses its own push flow; TOTP is fallback only. |
یہ بھی دیکھیں
- /totp-2fa-qr-code/, the TOTP generator with Base32 validator inline.
- /hotp-qr-code/, HOTP counter-based variant.
- /standards/, back to the standards index.