The challenge code could just be a code that is calculated using a hash of trader party, your account name, a hash of all items in "give", a hash of all items in "get", and date/time when the trade request was created. To generate a QR code for this purpose, generate the URI with generateQrCodeUrl() and then encode it using the QR code library of your choice. The trade that empties your inventory has a code like 289472Įven if I enter the even trade in my authenticator and then enters the confirmation code on phising site, the trade would fail, because when your phishing site tries to use the response code calculated out of 327892 with the empty-inv-trade that is generated using 289472, on valves server, the challenge code 289472 wouldnt calculate to the same TOTP code that the even trade does, whose response code was inputted for. With many authenticator apps, users can quickly add new TOTP secrets by scanning a QR code that represents a Google Authenticator-compatible key URI. TOTP code from Google Authenticator if (user. When you show the trade that looks even, the code is like 327892 The strategy requires a callback to verify a username and password and a callback to setup TOTP generator. Once that is done and the app is registered on Google Authenticator, the user has to verify the code shown in the app on the backend. Eg, on the trade there is a code you need to enter in authenticator (using standarized OCRA - OATH Challenge Response Algoritm), and then you get a response, you have to enter in the trade window. The user scans the QR code using Google Authenticator app. PPS supports TOTP authentication by using the Google Authenticator algorithm for. Satoru: That could be prevented by having a challenge-response. Google Authenticator is one of such implementations of TOTP algorithms.
0 Comments
Leave a Reply. |