User adds a new TOTP secret to their open2fa client:
I65VU7K5ZQL7WB4E
User generates a TOTP code from their open2fa client:
123456
Remote Synchronization and 2FA Code Generation (optional)
User is assigned a UUID when initializing the remote capabilities
of the open2fa client:
692a3e6b-4bd4-400b-aa2b-8261695b5ffb
A sha256 hash of the UUID is generated:
7f3bdb296509426c9ce9ec543e70c4200231af1247b1e22052a346c4e7901c45
The 32 bytes of this hash are split into two parts and used for
the following purposes:
The first 16 bytes of the hash are used for user
identification, when encoded into base58 this is the Open2FA
ID:
GiG4Xz1tmTnG3CVh38raYX
This is used to identify the user to the server during api
requests, as well as for authentication if generating a TOTP
code from the web ui.
The remaining 16 bytes of the hash are used for encryption of
the TOTP secret when stored on the remote server:
GiRVCWuSBPaVM7xfER9h6
This should never be shared with the server. If using the
webui, a user must provide this value to enable decryption,
but it is never sent to the server - any decryption happens
exclusively on the client side. This is the major reason the
frontend javascript has been kept as simple as possible.
The TOTP secret is encrypted using the last 16 bytes of the UUID
hash
692a3e6b4bd4400baa2b8261695b5ffb
User identifies themselves to the server by sending a base58
encoded version of the first 16 bytes of the UUID hash:
GiG4Xz1tmTnG3CVh3raYX
Server shares the ENCRYPTED TOTP secrets matching the Open2FA ID
provided by the user: