 So let's talk about time based one time password algorithm. Now, this is an open standard from the internet engineering task force to implement time based one time passwords and their time based not internet based. There's an important distinction here. So two factor authentication. Why do we need it? Well, if a server is compromised and a hacker was able to compromise the passwords on that server, then they have your username, which is often to stream email address. So that's often arbitrary gas and then they have a password and then it can access your account. So we need a second token. It's nice if you want to go down the rabbit hole of having third tokens and things like that. You can get real creative. But generally speaking, we find that it's secure enough in 2017 to have two different passwords for most systems to access. For example, my Google account. I can't access my Google account with my just my username and password. I need my username, my password, and my time based algorithm. Now, this actually applies to lots of systems. Google's made it popular. They've had a free app called Google Authenticator, and I'll show you how that works here. But it more importantly is this is a protocol and it's supported very widely on the internet. So there's a lot of big places that support it. A lot of the cloud providers have switched to it as well. And what's nice about it versus let's say text messages for a second factor. And I've never been a fan of the way PayPal, for example, does this with PayPal. They send you a text to verify the login. So somewhere to hijack my phone number without getting my phone, they would then have that text come to them. So that's not the best way to do it in too many places to support password reset off of that kind of a pain. And requires that your phone has service wherever you're at. I find myself in server rooms occasionally. And if my cell service isn't working well and you don't get the text and you are thwarted on the login, which is kind of aggravating. So time based authentication works completely off first sharing a secret between the server and you in a secure way. And once that secret shared, the other known factor is the time. Generally speaking, phones have fairly accurate time, plenty accurate enough for this type of system to work. Now, because of the accuracy of the phones and this system having a roughly 30, 90 second tokens that expire every 30, 90 seconds. It works really, really well. And it works even if your phone or device that you have to TTP set up on is offline. So as long as the time is within range, it'll work. So let's get into details of actually how this works. So this is Wikipedia page and you can read through here and it kind of gives you an overview of it. You can get into the formulas and everything else. If you want to, I'm going to go over that in a second, but not in full depth. I'm not a mathematician. I didn't write any of the code you're going to see here. I just followed some implementations off of a GitHub site. So first we're going to do is generate a QR code, which is the easiest way to do it because no one wants to key these numbers in. So we generate the QR code and I'm holding in front of me the QR code printed because you can print these out. And because once the secret's been generated and you want to ever get to it again, you don't have to keep it online. You can keep these print these, put these in a safe, for example. And that's a nice offline way to keep all of your codes you set up because most of these sites, because there's for security, once you generate the second factor and have it stored in your authenticator, if you lose that second factor, you also lose complete access to your account. That question comes up. I dropped my phone. I broke it. It had my Google second authenticator. How do I get back in? Well, when you do it for Google, for example, and a lot of others, they give you what they call backup codes, like a one time use code that you're supposed to print and hold offline. People go and I'll never lose my phone. So I'm not worried about it. You've lost the account and some of the places completely locked out. Sorry, time to start over. It's it's a pain. So make sure you come up with a method by which to either back these up, which can be a little bit scary if you're backing them up online. Because it's, you know, if it's online, someone can potentially get to it, depending on how secure the passwords are. But if you print them, what's the likelihood that someone will guess my username, guess my password and know where I keep these, you know, in a safe somewhere hidden or in a safe deposit box, the likelihood of attack goes down dramatically. But do what you want with them. Make sure you keep them. So she actually how they work though. So she knows I got my camera behind me. So I'm going to show you screens out of the phone and how that gets the authentication method. All right. So I have the Google authenticator app loaded on this phone. And what I'm going to do now is hit the begin and we want to scan a barcode. Now I can actually enter the provided key as an option. I could key the numbers that I have over on the screen there. That's kind of a pain in the butt. So QR codes are kind of the way to go with that. So we go scan a code. And instantly we now have rolling numbers on this phone to show you what the one time key is. And if you can kind of see it's small, but there's a little countdown timer every 30 seconds, these numbers change again. So if someone were to look over shoulder, shoulder surf and see my phone and see those numbers, they don't have a lot of meaning to them. Because in 30 seconds, they're gone. So they don't last very long. So that makes them nice. They rotate. So there's not any man in the middle. Now the only real methodology that this could be broken, just so you know, and this is a problem still is if they proxy a website. What that means is when they pretend to be the website you're authenticating into and you then provide them all the credentials. And at the same time, and they have to do this in real time, you provided the credentials to a false website. They then have to use it because this code only lasts 30 seconds. This is some of the advantages of TOTP. They there's not a lot of dwell time here every 30 seconds. Now the way they implement this can vary a little bit. You can move back and forth and some companies maybe go, OK, we'll do a 60 second dwell. I think the standard allows up to 90 second dwell for a code before it expires. But so you're only talking about 90 seconds they have to have your username, password and this real rolling identity. So I can now take this piece of paper that I scanned and activated the code and keep it safe somewhere, like I'd said. So we're done with that. It's on the phone. Now who then a cater does not have any backups unless you root the phone and copy the database out. That's actually to be on purpose to make it hard to get at. So someone couldn't, you know, hijack it off of your phone to gather the information. So let's talk a little bit about the protocol and how it works and other ways you can use it. So what we're going to do here is show you on this screen. How it works. So I have a little to TP dot sh and run through how it works real quick. This is a bash time based one time based authenticator written in bash really simple to use. And I'm going to walk just a little bit through the code here and I'll link to the GitHub where you can get this. This is really slick. All you're doing if you look through the code here is taking the time based on epoch time in in Linux, Unix space systems, starting from 1970 and creating a key based on. So you take that key that the key that we have over on this page here. So this key file here in JBS, W I and everything else. I'm not going to spell it out. And then we're going to apply it to here. So right here is the algorithm really simple. If you're in the math is simple. I'm not I guess I would say simple as in it's not a whole lot for authenticator. And this actually has other logic in it here. So then we take and run it to TP. And we just take that and paste it in the JBS W key and we get 480274 on the screen and 480274 on here because they're in sync. It's really that simple for a second factor. So it's it's impressive. It's really almost arbitrary how easy it is to work. And it's one of the reasons I really like this protocol because even if this phone's offline has no connection to the Internet, it still works. There is nothing going out to the Internet to figure this out. All I had to do is pass the shared key over to this bash script and it kicks out the authentication numbers. So it's a protocol that is the beauty of it is it's so simple. It's not something overly complicated. I know there's other companies that do a great job of two factor like duo authentication, but they do push notifications and requires you to be online. And I've had that aggravation before when I wanted to log into something and there was no online availability. So I'm like, I need to log into this server so I can fix it to get it back online. But I lack the I lack the ability to authenticate. And that's where these come in because this actually can be implemented even for SSH for lots of different systems logs in and because even if that system, for example, if you have it on your laptop and you need to get into something and you've locked down your computer, which is a great idea. If it doesn't have internet access and they can't send out the push notifications to come back to your phone, you can see immediately where the problem comes in. Or in the case when I had a down server that was using this over SSH, I could get into the server because I was attached to the local network. But the server couldn't get out to the internet. Therefore, the push notification couldn't be sent and you can't just SSH in. So I had to physically go over to the server to log in. So to TP authenticated protocol, one of my favorites. I wish everyone supported it. You know, I don't like this text message thing like come on eBay and PayPal implement this. You can see how little code is needed to come up with these and how simplistic of a system it is, which is also why it works so well. It just as long as we know the time, we don't require some carrier between to send data and have issues. You know, like I said, I do it was a great idea and other push systems I like is the simplicity, but I like this better because I don't need a third party provider. Once these two things have been met, I have the codes and they're generated and it works, you know, really, really well. So thanks for watching. If you'd like to kind of hear, like, and subscribe. I just want to do this because a lot of people ask me questions about my Google Authenticator video because I did my fault. I did not go in depth, maybe on how to TP works. I wanted to make sure I make a video on that. So thanks for watching. Appreciate it.