Chapter 12. Plugins
159
12.4.15. One-Time Password Client
This plugin provides the ability to generate one-time passwords (OTPs) for authenti-
cation purposes. It implements an HMAC-based One-Time Password Algorithm (RFC
4226), and on targets which support it, a Time-based One-Time Password Algorithm
(RFC 6238).
Adding Accounts
The plugin supports two methods of adding accounts: URI import, and manual entry.
It is important to note that for TOTP (time-based) accounts to work properly, the
clock on your device MUST be accurate to no less than 30 seconds from the time on the
authentication server, and the correct time zone must be configured in the plugin. See
section
(page
) for more information.
URI Import
This method of adding an account reads a list of URIs from a file. It expects each URI
to be on a line by itself in the following format:
otpauth://[hotp OR totp]/[account name]?secret=[Base32 secret][&counter=X][&period=X][&digits=X]
An example is shown below, provisioning a TOTP key for an account called “bob”:
otpauth://totp/bob?secret=JBSWY3DPEHPK3PXP
Any other URI options are not supported and will be ignored.
Most services will provide a scannable QR code that encodes a OTP URI. In order to
use those, first scan the QR code separately and save the URI to a file on your device.
If necessary, rewrite the URI so it is in the format shown above. For example, GitHub’s
URI has a slash after the provider. In order for this URI to be properly parsed, you
must rewrite the account name so that it does not contain a slash.
Manual Import
If direct URI import is not possible, the plugin supports the manual entry of data
associated with an account. After you select the “Manual Entry” option, it will prompt
you for an account name. You may type anything you wish, but it should be memorable.
It will then prompt you for the Base32-encoded secret. Most services will provide this
to you directly, but some may only provide you with a QR code. In these cases, you
must scan the QR code separately, and then enter the string following the “secret=”
parameter on your Rockbox device manually.
On devices with a real-time clock, like yours, the plugin will ask whether the account
is a time-based account (TOTP). If you answer “yes” to this question, it will ask for
further information regarding the account.
Usually it is safe to accept the defaults
here.
However, if your device lacks a real-time clock, the plugin’s functionality will be
The Rockbox manual
(version 3.14)
Iaudio M5