Proof of concept
Validation of TOTP codes:
/**
* Checks if a given code is valid for a given key, allowing for a certain amount of time drift
*
* @param string $key The share secret key to use.
* @param string $authcode The code to test.
*
* @return bool Whether the code is valid within the time frame
*/
private function _is_valid_authcode( $key, $authcode ) {
/**
* Filter the maximum ticks to allow when checking valid codes.
*
* Ticks are the allowed offset from the correct time in 30 second increments,
* so the default of 4 allows codes that are two minutes to either side of server time
*
* @param int $max_ticks Max ticks of time correction to allow. Default 4.
*/
$max_ticks = apply_filters( 'two-factor-totp-time-step-allowance', self::DEFAULT_TIME_STEP_ALLOWANCE );
// Array of all ticks to allow, sorted using absolute value to test closest match first.
$ticks = range( - $max_ticks, $max_ticks );
usort( $ticks, array( $this, 'abssort' ) );
$time = time() / self::DEFAULT_TIME_STEP_SEC;
foreach ( $ticks as $offset ) {
$log_time = $time + $offset;
if ( $this->calc_totp( $key, $log_time ) === $authcode ) {
return true;
}
}
return false;
}
Leave a Reply