オープン認証イニシアチブのソースを表示

[[Category:Authentication]]
{{Related articles start}}
{{Related|U2F}}
{{Related|Data-at-rest encryption}}
{{Related|Google Authenticator}}
{{Related|identity management}}
{{Related|Yubikey}}
{{Related|pam_oath}}
{{Related|pass}}
{{Related articles end}}

The [[Wikipedia:Initiative for Open Authentication|Initiative for Open Authentication]] (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. They publish the standard which Google Authenticator and other common 2-factor applications use.

== Installation ==

The following packages can be used to generate, transfer, and validate OATH credentials:

* {{Pkg|oath-toolkit}} - Takes credentials and generates codes. Includes a PAM module for user authentication.
* {{Pkg|libpam-google-authenticator}} - Offers a client program {{ic|google-authenticator}} for generating new credentials and a PAM module for user authentication. See [[Google Authenticator]]. 
* {{Pkg|pass-otp}} - Adds OATH support to {{Pkg|pass}}
* {{Pkg|zbar}} - Decodes QR codes
* {{Pkg|qrencode}} - Encodes QR codes

== Standards ==

OATH has created two standards of significance to an Arch user, both based on a Base32-encoded shared secret of arbitrary length:

; HOTP: HMAC (Hash-based message authentication code) One-time Password ([[Wikipedia:HMAC-based_One-time_Password_algorithm|HOTP]]). Every time a password is generated, a counter is incremented. This value is concatenated with a secret key, and then hashed to generate a 6-10 digit code. The authenticating party does the same, except it increments a counter when a code is successfully authenticated. To handle desynchronization of the counter, the authenticating party can also check several (30-100) additional values beyond its current counter state.
; TOTP: Time-based one-time-password ([[Wikipedia:Time-based_One-time_Password_algorithm|TOTP]]), which works much like HOTP except it uses the current time instead of a counter. This solves the desynchronization problem, and eliminates the possibility of an adversary recording OTPs for use later.

== URI credential format ==

Credentials are usually shared in a QR-encoded [https://github.com/google/google-authenticator/wiki/Key-Uri-Format URI format]. All fields must be URI-encoded strings:

 otpauth://TYPE/LABEL?PARAMETERS

{{warning|A URI formatted credential, and any QR code generated from it, contains all information required to generate valid one-time passwords. Protect it as you would any other password.}}

; TYPE: {{ic|totp}} or {{ic|hotp}}
; LABEL: Identifies which account a key is associated with, optionally prefixed with an issuer string. Example: {{ic|Arch%20Wiki:alice@archlinux.org}}
; PARAMETERS: Take the standard URI parameter format - {{ic|1=?name=value&name=value...}}

* {{ic|secret}} - required; this is the Base32 shared secret.
* {{ic|issuer}} - Indicates the provider or service the account is associated with. If this is absent, the issuer prefix of the label will be used. If both are present, they should be equal.
* {{ic|algorithm}} - {{ic|SHA1}} by default. Can also be {{ic|SHA256}} or {{ic|SHA512}}.
* {{ic|digits}} - How long passcodes should be. Default is 6, can be 8.
* {{ic|counter}} - Required if using HOTP. Initial counter value.
* {{ic|period}} - Optional if using TOTP. Sets how long a code is valid, 30 seconds by default.

Here is an example:

 otpauth://totp/Example%20Company:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example%20Company
          |type|  issuer prefix  |    account     |         secret        |     issuer             |
               |               label              |                  parameters                    |

== Tips and Tricks ==

=== Decode QR codes ===

This can be accomplished with tools from {{Pkg|zbar}}. Decode a PNG file:

 $ zbarimg my_qr_code.png --quiet --raw

Decode images from a camera:

 $ zbarcam /dev/video0

=== Create QR codes ===

The {{Pkg|qrencode}} package is useful here. 

Encode a URI, save it as a PNG:

 $ qrencode -o my_code.png 'MY_URI'

Encode a URI, print a QR code to the terminal:

 $ qrencode -t ansiutf8 'MY_URI'

=== Generate keys ===

To generate your own key in the proper format, you can use something like the following:

 $ head -c 16 /dev/urandom | base32 --wrap 0

=== Generate OTPs from the command line ===

Install {{Pkg|oath-toolkit}}.

 $ oathtool --base32 --totp KEY

Many password managers, including [[pass]] and [[KeePass]] also offer support for generating these codes.

=== Linux User authentication with PAM ===

See either [[pam_oath]] or [[Google Authenticator]].

== See also ==

* [https://openauthentication.org/specifications-technical-resources/ Standard specifications]
* [https://github.com/google/google-authenticator/wiki/Key-Uri-Format URI format reference]
* [https://rootprojects.org/authenticator/ QR code tester] - Do not enter actual credentials here.