OTP Class

Properties   Methods   Events   Config Settings   Errors  

The OTP class allows creation of single use passwords.

Class Name

IPWorksAuth_OTP

Procedural Interface

 ipworksauth_otp_open();
 ipworksauth_otp_close($res);
 ipworksauth_otp_register_callback($res, $id, $function);
 ipworksauth_otp_get_last_error($res);
 ipworksauth_otp_get_last_error_code($res);
 ipworksauth_otp_set($res, $id, $index, $value);
 ipworksauth_otp_get($res, $id, $index);
 ipworksauth_otp_do_config($res, $configurationstring);
 ipworksauth_otp_do_createpassword($res);
 ipworksauth_otp_do_reset($res);
 ipworksauth_otp_do_validatepassword($res);

Remarks

The OTP class implements the HOTP algorithm defined in RFC 4226 (HMAC-Based One-Time Password) and the TOTP algorithm defined in RFC 6238 (Time-Based One-Time Password). These types of passwords are commonly used as a second factor of authentication in multi-factor authentication scenarios.

To begin decide which algorithm you wish to use and set PasswordAlgorithm. Specify the shared secret in the Secret property.

Next, depending on the algorithm chosen you may set Counter (HOTP) or TimeStep (TOTP). If these properties are not set, the class will use a default value.

To create the password call CreatePassword. The Password property will be populated with the new password.

To validate a password set the Password property and call ValidatePassword. The method will return True or False to indicate success or failure.

Property List


The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

CounterThe counter used for HMAC-Based One Time Password creation or validation.
PasswordThe HMAC-Based or Time-Based One Time Password.
PasswordAlgorithmThe algorithm used to create or validate the password.
SecretThe Base32 encoded shared secret used when creating and validating a password.
TimeStepThe time step (in seconds) used for Time-Based One Time Password creation or validation.
ValidityTimeThe validity time of the created password.

Method List


The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

ConfigSets or retrieves a configuration setting.
CreatePasswordCreates a Time-Based or HMAC-Based One Time Password.
ResetReset the variables to default value.
ValidatePasswordValidates a Time-Based or HMAC-Based One Time Password.

Event List


The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

ErrorFired when information is available about errors during data delivery.

Config Settings


The following is a list of config settings for the class with short descriptions. Click on the links for further details.

CurrentTimeThe current time in milliseconds.
FuturePasswordsAcceptedThe number of future passwords to accept.
HashAlgorithmThe hash algorithm used to sign the password.
PasswordLengthThe length of the generated password.
PreviousPasswordsAcceptedThe number of previous passwords to accept.
QRCodeURIReturns a URI suitable for encoding as a QR code.
SecretLengthThe length of secret to generate.
ValidityTimeThe validity time of the created TOTP password.
BuildInfoInformation about the product's build.
CodePageThe system code page used for Unicode to Multibyte translations.
LicenseInfoInformation about the current license.
MaskSensitiveDataWhether sensitive data is masked in log messages.
ProcessIdleEventsWhether the class uses its internal event loop to process events when the main thread is idle.
SelectWaitMillisThe length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.
UseFIPSCompliantAPITells the class whether or not to use FIPS certified APIs.
UseInternalSecurityAPIWhether or not to use the system security libraries or an internal implementation.

Counter Property (IPWorksAuth_OTP Class)

The counter used for HMAC-Based One Time Password creation or validation.

Object Oriented Interface

public function getCounter();
public function setCounter($value);

Procedural Interface

ipworksauth_otp_get($res, 1 );
ipworksauth_otp_set($res, 1, $value );

Default Value

0

Remarks

This property holds the counter value used for HMAC-Based One Time Password creation or validation. When PasswordAlgorithm is set to paHOTP this value must be specified before calling CreatePassword or ValidatePassword. The value should be incremented each time a password is created.

The default value is 0.

This property is not applicable when using the Time-Based One Time Password algorithm.

Data Type

Long64

Password Property (IPWorksAuth_OTP Class)

The HMAC-Based or Time-Based One Time Password.

Object Oriented Interface

public function getPassword();
public function setPassword($value);

Procedural Interface

ipworksauth_otp_get($res, 2 );
ipworksauth_otp_set($res, 2, $value );

Default Value

''

Remarks

This property holds the HMAC-Based or Time-Based One Time Password. This property is populated after calling CreatePassword. This property must be set before calling ValidatePassword.

Data Type

String

PasswordAlgorithm Property (IPWorksAuth_OTP Class)

The algorithm used to create or validate the password.

Object Oriented Interface

public function getPasswordAlgorithm();
public function setPasswordAlgorithm($value);

Procedural Interface

ipworksauth_otp_get($res, 3 );
ipworksauth_otp_set($res, 3, $value );

Default Value

0

Remarks

This property specifies whether to use the HMAC-Based or Time-Based One Time Password algorithm. Possible values are:

0 (paTOTP - default) Time-Based One Time Password Algorithm.
1 (paHOTP) HMAC-Based One Time Password Algorithm.

Data Type

Integer

Secret Property (IPWorksAuth_OTP Class)

The Base32 encoded shared secret used when creating and validating a password.

Object Oriented Interface

public function getSecret();
public function setSecret($value);

Procedural Interface

ipworksauth_otp_get($res, 4 );
ipworksauth_otp_set($res, 4, $value );

Default Value

''

Remarks

This property specifies the Base32 encoded shared secret used when creating and validating a password. This should be set before calling CreatePassword or ValidatePassword.

If this is not set before calling CreatePassword a random secret will be automatically generated. This functionality provides an easy way to create new secret values. The length of the secret is defined by SecretLength.

Data Type

String

TimeStep Property (IPWorksAuth_OTP Class)

The time step (in seconds) used for Time-Based One Time Password creation or validation.

Object Oriented Interface

public function getTimeStep();
public function setTimeStep($value);

Procedural Interface

ipworksauth_otp_get($res, 5 );
ipworksauth_otp_set($res, 5, $value );

Default Value

30

Remarks

This property specifies the time step (in seconds) used for Time-Based One Time Password creation or validation. When PasswordAlgorithm is set to paTOTP this value must be specified before calling CreatePassword or ValidatePassword.

The default value is 30.

This property is not applicable when using the HMAC-Based One Time Password algorithm.

Data Type

Integer

ValidityTime Property (IPWorksAuth_OTP Class)

The validity time of the created password.

Object Oriented Interface

public function getValidityTime();

Procedural Interface

ipworksauth_otp_get($res, 6 );

Default Value

0

Remarks

This property returns the remaining validity time in seconds of the created password. After calling CreatePassword this property may be queried to determine for how many more seconds the password will be valid. If the password is no longer valid this property returns 0.

This property is read-only.

Data Type

Integer

Config Method (IPWorksAuth_OTP Class)

Sets or retrieves a configuration setting.

Object Oriented Interface

public function doConfig($configurationstring);

Procedural Interface

ipworksauth_otp_do_config($res, $configurationstring);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

CreatePassword Method (IPWorksAuth_OTP Class)

Creates a Time-Based or HMAC-Based One Time Password.

Object Oriented Interface

public function doCreatePassword();

Procedural Interface

ipworksauth_otp_do_createpassword($res);

Remarks

This method creates either a Time-Based or HMAC-Based One Time Password. The PasswordAlgorithm property specifies which algorithm to use.

The following properties are applicable when calling CreatePassword.

Calling CreatePassword populates the Password property with the created password.

If Secret is not specified before calling this method a random secret will be automatically generated.

Reset Method (IPWorksAuth_OTP Class)

Reset the variables to default value.

Object Oriented Interface

public function doReset();

Procedural Interface

ipworksauth_otp_do_reset($res);

Remarks

This method will reset the variables to default value.

ValidatePassword Method (IPWorksAuth_OTP Class)

Validates a Time-Based or HMAC-Based One Time Password.

Object Oriented Interface

public function doValidatePassword();

Procedural Interface

ipworksauth_otp_do_validatepassword($res);

Remarks

This method validates a Time-Based or HMAC-Based One Time Password. The PasswordAlgorithm property specifies which algorithm to use.

The following properties are applicable when calling ValidatePassword.

The method will return True if the password is validated, False otherwise.

Error Event (IPWorksAuth_OTP Class)

Fired when information is available about errors during data delivery.

Object Oriented Interface

public function fireError($param);

Procedural Interface

ipworksauth_otp_register_callback($res, 1, array($this, 'fireError'));

Parameter List

 'errorcode'
'description'

Remarks

The Error event is fired in case of exceptional conditions during message processing. Normally the class fails with an error.

The ErrorCode parameter contains an error code, and the Description parameter contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Error Codes section.

Config Settings (OTP Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

OTP Config Settings

CurrentTime:   The current time in milliseconds.

Specifies the current time Unix time in milliseconds (time since January 1 1970). Normally the component will query the system for the current time when creating or validating TOTP passwords. In the event that the system time is incorrect or cannot be retrieved you may set this value to the current time. This value will be reset to 0 after calling CreatePassword.

FuturePasswordsAccepted:   The number of future passwords to accept.

When set to a positive value, the class will accept passwords which are generated {FuturePasswordsAccepted} * TimeStep seconds in the future. The default value is 0.

HashAlgorithm:   The hash algorithm used to sign the password.

This setting specifies the hash algorithm used to sign the password. Possible values are:

  • SHA1 (default)
  • SHA256
  • SHA512
PasswordLength:   The length of the generated password.

This setting specifies the length of the generated password. Possible values are:

  • 6 (default)
  • 7
  • 8
PreviousPasswordsAccepted:   The number of previous passwords to accept.

When set to a positive value, the class will accept passwords which were generated {PreviousPasswordsAccepted} * TimeStep seconds in the past. The default value is 0.

QRCodeURI:   Returns a URI suitable for encoding as a QR code.

This setting provides a way to generate a URI which can be encoded into a QR code, suitable for using in any authenticator application. The URI format is well defined and is an easy way to transfer the secret key and other relevant parameters.

To use this setting first set Secret to a valid value, then execute code like:

string MyQRCodeURI = component.Config("QRCodeURI=MyServiceName:account@company.com");

In the above example the MyServiceName value is the issuer. This is typically used in authenticator applications to identify the service to which the account belongs. The account@company.com value is the account name and identifies the specific account with which the key is associated. The use of an issuer is not required but is recommended. An account name is required.

The return value from this operation is a URI in one of the following formats:

//TOTP
otpauth://totp/MyServiceName:account@company.com?secret=JBSWY3DPEHPK3PXP&digits=6&period=30

//HOTP
otpauth://hotp/MyServiceName:account@company.com?secret=JBSWY3DPEHPK3PXP&digits=6&counter=0

The following values are applicable when using this setting:

SecretLength:   The length of secret to generate.

When Secret is empty and CreatePassword is called a random secret value will be generated. This setting determines the length of the randomly generated secret. The default value is 32.

ValidityTime:   The validity time of the created TOTP password.

This setting returns the remaining validity time in seconds of the created TOTP password. After calling CreatePassword this setting may be queried to determine for how many more seconds the password will be valid. If the password is no longer valid this setting returns 0. This is not applicable to HOTP passwords.

Base Config Settings

BuildInfo:   Information about the product's build.

When queried, this setting will return a string containing information about the product's build.

CodePage:   The system code page used for Unicode to Multibyte translations.

The default code page is Unicode UTF-8 (65001).

The following is a list of valid code page identifiers:

IdentifierName
037IBM EBCDIC - U.S./Canada
437OEM - United States
500IBM EBCDIC - International
708Arabic - ASMO 708
709Arabic - ASMO 449+, BCON V4
710Arabic - Transparent Arabic
720Arabic - Transparent ASMO
737OEM - Greek (formerly 437G)
775OEM - Baltic
850OEM - Multilingual Latin I
852OEM - Latin II
855OEM - Cyrillic (primarily Russian)
857OEM - Turkish
858OEM - Multilingual Latin I + Euro symbol
860OEM - Portuguese
861OEM - Icelandic
862OEM - Hebrew
863OEM - Canadian-French
864OEM - Arabic
865OEM - Nordic
866OEM - Russian
869OEM - Modern Greek
870IBM EBCDIC - Multilingual/ROECE (Latin-2)
874ANSI/OEM - Thai (same as 28605, ISO 8859-15)
875IBM EBCDIC - Modern Greek
932ANSI/OEM - Japanese, Shift-JIS
936ANSI/OEM - Simplified Chinese (PRC, Singapore)
949ANSI/OEM - Korean (Unified Hangul Code)
950ANSI/OEM - Traditional Chinese (Taiwan; Hong Kong SAR, PRC)
1026IBM EBCDIC - Turkish (Latin-5)
1047IBM EBCDIC - Latin 1/Open System
1140IBM EBCDIC - U.S./Canada (037 + Euro symbol)
1141IBM EBCDIC - Germany (20273 + Euro symbol)
1142IBM EBCDIC - Denmark/Norway (20277 + Euro symbol)
1143IBM EBCDIC - Finland/Sweden (20278 + Euro symbol)
1144IBM EBCDIC - Italy (20280 + Euro symbol)
1145IBM EBCDIC - Latin America/Spain (20284 + Euro symbol)
1146IBM EBCDIC - United Kingdom (20285 + Euro symbol)
1147IBM EBCDIC - France (20297 + Euro symbol)
1148IBM EBCDIC - International (500 + Euro symbol)
1149IBM EBCDIC - Icelandic (20871 + Euro symbol)
1200Unicode UCS-2 Little-Endian (BMP of ISO 10646)
1201Unicode UCS-2 Big-Endian
1250ANSI - Central European
1251ANSI - Cyrillic
1252ANSI - Latin I
1253ANSI - Greek
1254ANSI - Turkish
1255ANSI - Hebrew
1256ANSI - Arabic
1257ANSI - Baltic
1258ANSI/OEM - Vietnamese
1361Korean (Johab)
10000MAC - Roman
10001MAC - Japanese
10002MAC - Traditional Chinese (Big5)
10003MAC - Korean
10004MAC - Arabic
10005MAC - Hebrew
10006MAC - Greek I
10007MAC - Cyrillic
10008MAC - Simplified Chinese (GB 2312)
10010MAC - Romania
10017MAC - Ukraine
10021MAC - Thai
10029MAC - Latin II
10079MAC - Icelandic
10081MAC - Turkish
10082MAC - Croatia
12000Unicode UCS-4 Little-Endian
12001Unicode UCS-4 Big-Endian
20000CNS - Taiwan
20001TCA - Taiwan
20002Eten - Taiwan
20003IBM5550 - Taiwan
20004TeleText - Taiwan
20005Wang - Taiwan
20105IA5 IRV International Alphabet No. 5 (7-bit)
20106IA5 German (7-bit)
20107IA5 Swedish (7-bit)
20108IA5 Norwegian (7-bit)
20127US-ASCII (7-bit)
20261T.61
20269ISO 6937 Non-Spacing Accent
20273IBM EBCDIC - Germany
20277IBM EBCDIC - Denmark/Norway
20278IBM EBCDIC - Finland/Sweden
20280IBM EBCDIC - Italy
20284IBM EBCDIC - Latin America/Spain
20285IBM EBCDIC - United Kingdom
20290IBM EBCDIC - Japanese Katakana Extended
20297IBM EBCDIC - France
20420IBM EBCDIC - Arabic
20423IBM EBCDIC - Greek
20424IBM EBCDIC - Hebrew
20833IBM EBCDIC - Korean Extended
20838IBM EBCDIC - Thai
20866Russian - KOI8-R
20871IBM EBCDIC - Icelandic
20880IBM EBCDIC - Cyrillic (Russian)
20905IBM EBCDIC - Turkish
20924IBM EBCDIC - Latin-1/Open System (1047 + Euro symbol)
20932JIS X 0208-1990 & 0121-1990
20936Simplified Chinese (GB2312)
21025IBM EBCDIC - Cyrillic (Serbian, Bulgarian)
21027Extended Alpha Lowercase
21866Ukrainian (KOI8-U)
28591ISO 8859-1 Latin I
28592ISO 8859-2 Central Europe
28593ISO 8859-3 Latin 3
28594ISO 8859-4 Baltic
28595ISO 8859-5 Cyrillic
28596ISO 8859-6 Arabic
28597ISO 8859-7 Greek
28598ISO 8859-8 Hebrew
28599ISO 8859-9 Latin 5
28605ISO 8859-15 Latin 9
29001Europa 3
38598ISO 8859-8 Hebrew
50220ISO 2022 Japanese with no halfwidth Katakana
50221ISO 2022 Japanese with halfwidth Katakana
50222ISO 2022 Japanese JIS X 0201-1989
50225ISO 2022 Korean
50227ISO 2022 Simplified Chinese
50229ISO 2022 Traditional Chinese
50930Japanese (Katakana) Extended
50931US/Canada and Japanese
50933Korean Extended and Korean
50935Simplified Chinese Extended and Simplified Chinese
50936Simplified Chinese
50937US/Canada and Traditional Chinese
50939Japanese (Latin) Extended and Japanese
51932EUC - Japanese
51936EUC - Simplified Chinese
51949EUC - Korean
51950EUC - Traditional Chinese
52936HZ-GB2312 Simplified Chinese
54936Windows XP: GB18030 Simplified Chinese (4 Byte)
57002ISCII Devanagari
57003ISCII Bengali
57004ISCII Tamil
57005ISCII Telugu
57006ISCII Assamese
57007ISCII Oriya
57008ISCII Kannada
57009ISCII Malayalam
57010ISCII Gujarati
57011ISCII Punjabi
65000Unicode UTF-7
65001Unicode UTF-8
The following is a list of valid code page identifiers for Mac OS only:
IdentifierName
1ASCII
2NEXTSTEP
3JapaneseEUC
4UTF8
5ISOLatin1
6Symbol
7NonLossyASCII
8ShiftJIS
9ISOLatin2
10Unicode
11WindowsCP1251
12WindowsCP1252
13WindowsCP1253
14WindowsCP1254
15WindowsCP1250
21ISO2022JP
30MacOSRoman
10UTF16String
0x90000100UTF16BigEndian
0x94000100UTF16LittleEndian
0x8c000100UTF32String
0x98000100UTF32BigEndian
0x9c000100UTF32LittleEndian
65536Proprietary

LicenseInfo:   Information about the current license.

When queried, this setting will return a string containing information about the license this instance of a class is using. It will return the following information:

  • Product: The product the license is for.
  • Product Key: The key the license was generated from.
  • License Source: Where the license was found (e.g., RuntimeLicense, License File).
  • License Type: The type of license installed (e.g., Royalty Free, Single Server).
  • Last Valid Build: The last valid build number for which the license will work.
MaskSensitiveData:   Whether sensitive data is masked in log messages.

In certain circumstances it may be beneficial to mask sensitive data, like passwords, in log messages. Set this to true to mask sensitive data. The default is true.

This setting only works on these classes: AS3Receiver, AS3Sender, Atom, Client(3DS), FTP, FTPServer, IMAP, OFTPClient, SSHClient, SCP, Server(3DS), Sexec, SFTP, SFTPServer, SSHServer, TCPClient, TCPServer.

ProcessIdleEvents:   Whether the class uses its internal event loop to process events when the main thread is idle.

If set to False, the class will not fire internal idle events. Set this to False to use the class in a background thread on Mac OS. By default, this setting is True.

SelectWaitMillis:   The length of time in milliseconds the class will wait when DoEvents is called if there are no events to process.

If there are no events to process when DoEvents is called, the class will wait for the amount of time specified here before returning. The default value is 20.

UseFIPSCompliantAPI:   Tells the class whether or not to use FIPS certified APIs.

When set to true, the class will utilize the underlying operating system's certified APIs. Java editions, regardless of OS, utilize Bouncy Castle Federal Information Processing Standards (FIPS), while all other Windows editions make use of Microsoft security libraries.

FIPS mode can be enabled by setting the UseFIPSCompliantAPI configuration setting to true. This is a static setting that applies to all instances of all classes of the toolkit within the process. It is recommended to enable or disable this setting once before the component has been used to establish a connection. Enabling FIPS while an instance of the component is active and connected may result in unexpected behavior.

For more details, please see the FIPS 140-2 Compliance article.

Note: This setting is applicable only on Windows.

Note: Enabling FIPS compliance requires a special license; please contact sales@nsoftware.com for details.

UseInternalSecurityAPI:   Whether or not to use the system security libraries or an internal implementation.

When set to false, the class will use the system security libraries by default to perform cryptographic functions where applicable.

Setting this configuration setting to true tells the class to use the internal implementation instead of using the system security libraries.

On Windows, this setting is set to false by default. On Linux/macOS, this setting is set to true by default.

To use the system security libraries for Linux, OpenSSL support must be enabled. For more information on how to enable OpenSSL, please refer to the OpenSSL Notes section.

Trappable Errors (OTP Class)

OTP Errors

114   Can't create password.
115   Can't validate password.