Blog Articles
Google Authenticator integration with Spring Boot
Table of Contents
In today’s digital landscape, ensuring the security of user accounts is paramount. With the rise of cyber threats and data breaches, traditional username and password authentication mechanisms are proving to be increasingly vulnerable. One popular MFA method is Google Authenticator, a time-based one-time password (TOTP) generator that provides an additional level of security beyond just usernames and passwords.
What is MFA?
Multi-factor authentication (MFA) has become a crucial tool especially in financial software development and healthcare software development With the rise of custom financial software and software development for healthcare, the need for robust security measures has never been greater. MFA, commonly referred to as two-factor authentication (2FA), implements double security checks through your devices.
In MFA, users are required to provide multiple forms of authentication before gaining access to an account or system. Google Authenticator serves as one of these additional factors. It generates time-based one-time passwords (TOTPs) that are unique for each login attempt and expire after a short period of time.
Why is MFA Important?
The primary benefit of MFA is that it improves your organization’s security by requiring your users to identify themselves with more than just a username and password. While important, third parties can steal usernames and passwords and they are susceptible to brute force attacks. Enforcing the use of an MFA factor, such as a thumbprint or physical hardware key, increases confidence that your organization will be safe from cybercriminals.
How Does MFA work?
MFA works by requesting additional verification data (factors). One-time passwords are one of the most common MFA factors that users encounter. OTPs are those 4-8 digit codes that you frequently receive via email, SMS, or a mobile app. OTPs generate a new code at regular intervals or whenever an authentication request is submitted. The system generates the code using a seed value assigned to the user when they first register, as well as another factor, which could be anything from an incremental counter to a time value.
What is Google Authenticator?
Google Authenticator is an authenticator app developed by Google used to verify the identity of a user. The app is often used in conjunction with a password to strengthen user accounts from security attacks. It’s considered more secure than other additional authenticators such as SMS since it’s resistant to SIM swap attacks. It doesn’t require a cellular or Wifi network to use and setup can be as easy as a snapshot of a QR Code.
Setting Up Spring Boot Project with Google Authenticator:
Add Authenticator Dependency
In your Spring Boot project’s pom.xml file, add the Authenticator SDK dependency. You can find the latest version on the Authenticator Maven Repository.
Add this dependency to your project pom.xml file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
<dependency> <groupId>de.taimos</groupId> <artifactId>totp</artifactId> <version>1.0</version> </dependency> <dependency> <groupId>com.google.zxing</groupId> <artifactId>core</artifactId> <version>3.3.0</version> <scope>compile</scope> </dependency> <dependency> <groupId>com.google.zxing</groupId> <artifactId>javase</artifactId> <version>3.3.0</version> <scope>compile</scope> </dependency> |
Generate Secret Key
|
1 2 3 4 5 6 7 |
public static String generateSecretKey() { SecureRandom random = new SecureRandom(); byte[] bytes = new byte[20]; random.nextBytes(bytes); Base32 base32 = new Base32(); return base32.encodeToString(bytes); } |
Generate Authenticator QR
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
private static final String ENCODED_SPACE = "%20"; private static final String PLUS_SYMBOL = "+"; public static String generateAuthenticatorQR(email, secretKey, accountName) { try { String barCodeUrl = getGoogleAuthenticatorBarCode(secretKey, email, accountName); return createQRCode(barCodeUrl); } catch (Exception e) { System.out.println("Error while generating the Authenticator QR code " + e.getMessage()); } } private static String getGoogleAuthenticatorBarCode(String secretKey, String account, String issuer) { try { String utf8 = "UTF-8"; return "otpauth://totp/" + URLEncoder.encode(issuer + ":" + account, utf8).replace(PLUS_SYMBOL, ENCODED_SPACE) + "?secret=" + URLEncoder.encode(secretKey, utf8).replace(PLUS_SYMBOL, ENCODED_SPACE) + "&issuer=" + URLEncoder.encode(issuer, utf8).replace(PLUS_SYMBOL, ENCODED_SPACE); } catch (UnsupportedEncodingException e) { throw new IllegalStateException(e); } } public static String createQRCode(String barCodeData) { try{ String filePath = "QRCode.png"; int qrCodeImageHeight = 400; int qrCodeImageWidth = 400; BitMatrix matrix = new MultiFormatWriter().encode(barCodeData, BarcodeFormat.QR_CODE, qrCodeImageWidth, qrCodeImageHeight); FileOutputStream out = new FileOutputStream(filePath); MatrixToImageWriter.writeToStream(matrix, "png", out); File img = new File(filePath); byte[] imgBytes = FileUtils.readFileToByteArray(img); return "data:image/PNG;base64," + Base64.getEncoder().encodeToString(imgBytes); } catch (Exception e) { System.out.println("Error while creating the Authenticator QR code "+ e.getMessage()); } return "Failed to generate QR"; } |
To verify the TOTP
To verify the TOTP from google authenticator app need to pass secret Key generated in step 1
|
1 2 3 4 5 6 7 8 |
public static String getTOTPCode(String secretKey) { Base32 base32 = new Base32(); byte[] bytes = base32.decode(secretKey); String hexKey = Hex.encodeHexString(bytes); return TOTP.getOTP(hexKey); } |
Conclusion
In conclusion, MFA stands as a key in modern software development across various industries. From banking software development to medical software development and beyond, its adoption reflects a dynamic approach to cybersecurity in an increasingly linked digital landscape.
Two-factor authentication is an important step toward protecting your digital identity, credentials, and login information for personal and financial accounts. Google authenticator account details make it simple to configure and use two-factor authentication for all types of accounts.
To learn more about Google Authenticator and its capabilities, check out their Wikipedia page here.
For additional insightful articles and information on custom software development services, please reach out to us.
Get a Fast Estimate on Your Software Development Project
We are committed to delivering high-quality IT solutions tailored to meet the unique needs of our clients. As part of our commitment to transparency and excellence, we provide detailed project estimations to help our clients understand the scope, timeline, and budget associated with their IT initiatives.
Share
