Google Authenticator Soft Token Generator

Problem this snippet solves: iRule to generate Google Authenticator soft tokens for use with the Google Authenticator iRule For Two-Factor Auth With LDAP. Add to pool-less HTTP virtual server and ac...

Published Mar 17, 2015

Version 1.0

application delivery

George_Watkins_

Historic F5 Account

Joined September 17, 2008

George_Watkins_

Historic F5 Account

Joined September 17, 2008

Simon_Waters_13

Icon for Cirrostratus rank

Cirrostratus

Mar 23, 2017

We were reviewing the code for this as we think:

set secret [b64encode [md5 [expr rand()]]] set secret [string range $secret 0 9]

Is suspect, as base 64 is 6 bits a character, and 10 lots of 6 bits is 60bits, when Google Authenticator uses 80 bits of entropy (16 x base 32 = 80 bits), and the RFC recommends 160 bits as minimum.

Not sure this undermines Google Authenticator quite, but it must make brute force and similar attacks at least a million times more feasible.