TOTP Validator Validate TOTP codes against a shared secret with configurable time window.

The tool works by generating expected Time-Based One-Time Password (TOTP) codes for a given time period using the HMAC-based One-time Password algorithm as defined in RFC 4226. It utilizes the Web Crypto API to compute the HMAC-SHA1 of a counter value, which is derived from the current time and a specified period. The secret key used for this computation is first decoded from Base32 format to a binary array using a custom function b32Dec, which replaces whitespace and equals signs with nothing, then converts each character to its corresponding 5-bit index in the Base32 alphabet.

This binary array is then imported into the Web Crypto API as a raw key, which is used for signing the counter value. The resulting signature is truncated according to the dynamic truncation method specified in RFC 4226, and the least significant 4 bytes of this truncated value are extracted and converted to an integer. This integer is then reduced modulo 10 raised to the power of the number of digits, which results in the final TOTP code.

The tool checks for validity by generating codes for time steps from T-window to T+window, where window is a user-specified tolerance period, allowing it to account for clock skew between the client and server. For example, with a window of 1, it generates codes for three time steps: T-1, T, and T+1, corresponding to 30 seconds before, at, and after the current time step.

The genTOTP function implements this logic using React state management to store user input such as secret key, period, digits, and window size. When the validate button is clicked, it calls the validate function which iterates over each possible offset in the specified window, generates a TOTP code for that offset, and checks if it matches the provided code.

In terms of data structures, the tool uses Uint8Array to represent binary arrays such as secret keys and signatures. It also utilizes React state management to store user input in JavaScript objects, which are then used to generate TOTP codes and perform validation.

The use of specific technologies like React for building the user interface, Web Crypto API for cryptographic operations, and TypeScript for static type checking ensures that the tool is both secure and maintainable. Additionally, adherence to standards such as RFC 4226 guarantees interoperability with other systems implementing Time-Based One-Time Passwords.

This approach enables developers and security professionals to easily test and debug two-factor authentication systems without compromising sensitive information like shared secret keys. The client-side processing ensures that the validation process remains secure even when used over an insecure network connection.

The dynamic truncation method specified in RFC 4226 allows for flexible code generation, making it suitable for various applications where Time-Based One-Time Passwords are required. By using established algorithms and technologies, this tool simplifies the development of two-factor authentication systems while maintaining a high level of security.