Hacker News new | past | comments | ask | show | jobs | submit login

> it does state it supports "emergency scratch codes" as well as HOTP -- from looking at the code again, I think they are considered the same thing, and it appears if you enter a scratch code

No. HOTP and TOTP are treated separately. Both of which are separate from scratch codes.

HOTP can't "show the future" (well, you can generate multiple codes but it won't be useful for this) and have an order. Scratch codes are exactly N of them, and they're stored in ~/.google_authenticator and don't have an order. They're also twice as long because unlike the normal codes there's 8 (IIRC) valid ones, and they're ALL valid all the time. (until used)




Ah, indeed. There's a seperate function for HOTP:

https://github.com/google/google-authenticator/blob/3fb90bda...

And of course the switch statement that handles the core logic starts by checking scratch codes, and if that doesn't work, proceeds to check TOTP/HOTP:

https://github.com/google/google-authenticator/blob/3fb90bda...

I'm not a big fan of this style:

https://github.com/google/google-authenticator/blob/3fb90bda...

But at least there's a comment documenting the magic return code (#DEFINE VALID_SCRATCH_CODE = 0, or an enum, or basically anything else, anyone?):

/* Checks for possible use of scratch codes. Returns -1 on error, 0 on success, * and 1, if no scratch code had been entered, and subsequent tests should be * applied. */




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: