User talk:Brad Linden/Login MFA
Greetings Brad. I am backporting the MFA support to my viewer (the Cool VL Viewer) which, being a v1 viewer, does things differently to LL's viewer and TPVs based on it.
Nothing difficult (*), but I'd like to make sanity checks in my code for the MFA hash I will store (in an LLXORCipher'ed and LLBase64-encoded form) in the user per-account settings (no LLSecAPIHandler in my viewer, and not planing/wanting to backport it). The sanity check is especially useful when retrieving the stored ciphered/encoded hash and decoding/deciphering it.
I therefore need to know whether the MFA hash got a fixed size or not, and if yes, what size it is; is it a MD5 or SHA1 hash, for example ?
So, if you could add details to the API specs about it, it would be great. :-)
Thank you in advance !
(*) If we except the fact that I do not own a smartphone and will not be able to even test my code !... Could we please get (at least on Aditi, for example) simple (plain text) email-based MFA so that viewer developers (I know that at least NiranV is in the same case as myself) can test the feature with their implementation without the need for a smartphone or any other third party device/application ?
- Greetings Henri, thanks for your time and questions. Sorry I didn't get back to you sooner.
- I don't want to add these details to the API spec. These should be treated as implementation details, but for the purposes of sanity checking, you can inspect the mfa_hash value. The current implementation of the mfa_hash is the concatenation of an ISO-8601 timestamp (for expiration of this hash value) and a hex encoded HMAC-SHA-512 value as output by an RFC6238 implementation of TOTP, with a comma separating them. I think the timestamp can be up to 27 or so characters, and the hex HMAC-SHA-512 will be 64 characters so that adds up to 92 characters of text. Naturally this is subject to change if we add more authentication options beyond RFC6238 TOTP protocol.
- I believe our QA engineers have had some success using the PyOTP library for implementing an authenticator for testing without a closed smartphone application. I don't know the details myself, but I would recommend investigating that if it suits your needs.
- Hope this helps, Brad Linden (talk) 17:22, 17 February 2022 (PST)