🔐 OTP Generator - Multi-Factor Authentication System

Professional multi-factor authentication system supporting TOTP, HOTP, and Challenge-Response OTP protocols

OTP Generator System
View Code View Results

📋 Problem Statement

In today's digital landscape, password-based authentication alone is insufficient to protect sensitive user accounts and enterprise systems from sophisticated cyber attacks, credential theft, and unauthorized access. Organizations face increasing regulatory requirements for multi-factor authentication (MFA) while users demand seamless security experiences. Traditional authentication methods lack flexibility, often requiring separate systems for different security levels and failing to provide appropriate protection for varying transaction risks.

There is a critical need for a comprehensive, standards-compliant authentication system that supports multiple OTP protocols—including TOTP (Time-based), HOTP (Counter-based), and Challenge-Response mechanisms—while maintaining ease of use, mobile compatibility, and enterprise-grade security. This project addresses these challenges by creating a production-ready authentication platform that implements RFC-compliant OTP generation, secure secret management with AES-256 encryption, JWT-based session handling, and an intuitive web interface, enabling organizations to deploy appropriate authentication strength based on transaction risk levels while providing users with a seamless multi-factor authentication experience.

🛠️ Implementation

Authentication Architecture

The system is built on Next.js 15 with TypeScript, implementing three distinct OTP protocols: TOTP (RFC 6238) for time-based authentication with 30-second windows, HOTP (RFC 4226) for counter-based generation, and Challenge-Response OTP for enterprise-level transaction security. The architecture uses the speakeasy library for RFC-compliant OTP generation, bcryptjs for password hashing, and jsonwebtoken for stateless authentication with HTTP-only cookies.

Next.js 15 TypeScript Tailwind CSS JWT AES-256

Security Implementation

The security layer implements AES-256 encryption for secret storage, ensuring OTP seeds are never stored in plaintext. User passwords undergo bcrypt hashing with automatic salt generation. The Challenge-Response system generates cryptographically random 8-character hex challenges with 5-minute expiration windows and single-use enforcement. JWT tokens are stored in HTTP-only cookies with secure flags, preventing XSS attacks while maintaining session state.

User Interface & API

The application features a modern, responsive interface built with Tailwind CSS, offering dedicated pages for registration, login, OTP verification, and challenge-response authentication. RESTful API endpoints handle user management, OTP generation/verification, challenge lifecycle management, and QR code generation for mobile authenticator apps. The system supports Google Authenticator, Microsoft Authenticator, Authy, and any TOTP/HOTP-compatible mobile application through standards-compliant QR code provisioning.

💡 Use of This Project

Enterprise Security

  • High-Value Transactions: Challenge-Response OTP for wire transfers, large purchases, and sensitive operations
  • Administrative Actions: Secure authentication for user management and system configuration
  • Compliance Requirements: Meet regulatory standards (PCI-DSS, SOC 2, HIPAA) with MFA implementation
  • API Authentication: HOTP-based authentication for critical operations and data exports
  • Zero Trust Security: Transaction-specific authentication with context-aware challenges

User Authentication

  • Daily Login Security: TOTP-based 2FA for regular user authentication with automatic refresh
  • Mobile App Integration: QR code provisioning for Google Authenticator and similar apps
  • Account Recovery: Secure fallback mechanisms with HOTP-based backup codes
  • Session Management: JWT-based stateless authentication with secure cookie handling

Development & Integration

  • RESTful API: Easy integration with existing systems via JSON endpoints
  • Standards Compliance: RFC 6238 (TOTP) and RFC 4226 (HOTP) implementations
  • Microservices Ready: Modular architecture for distributed systems
  • Custom Implementation: Extensible codebase for specific business requirements

📊 Results

🎯 TOTP Authentication
30s
Time Window
RFC 6238 Compliant
Auto-Refresh Enabled
Mobile Compatible
🔢 HOTP Authentication
RFC 4226
Counter-Based
Manual Generation
No Expiration
API Ready
🛡️ Challenge-Response
5min
Expiration Window
Single-Use Challenges
Transaction-Specific
Maximum Security
🔐 Encryption
AES-256
Secret Storage
bcrypt Hashing
JWT Tokens
Enterprise Grade

System Achievements

  • Triple Protocol Support: TOTP, HOTP, and Challenge-Response authentication in one system
  • RFC Compliance: Standards-compliant implementation of RFC 6238 and RFC 4226
  • Enterprise Security: AES-256 encryption, bcrypt hashing, HTTP-only JWT cookies
  • Mobile Integration: QR code generation for Google Authenticator, Authy, Microsoft Authenticator
  • Modern Stack: Next.js 15, TypeScript, Tailwind CSS with App Router architecture
  • RESTful API: Complete endpoint suite for authentication, OTP, and challenge management
  • Production Ready: Comprehensive security features with password validation and rate limiting
  • User Experience: Intuitive UI with real-time OTP generation and verification

Security Features

  • Cryptographic Security: All OTP secrets encrypted with AES-256 before storage
  • Password Protection: bcrypt hashing with automatic salt generation and strength validation
  • Session Security: JWT tokens with HTTP-only cookies prevent XSS attacks
  • Challenge Uniqueness: Cryptographically random challenges with single-use enforcement
  • Time-Limited Access: Challenge-Response with 5-minute expiration windows
  • Replay Attack Prevention: Each challenge is unique and cannot be reused
  • Transaction Binding: Context-aware challenges include transaction-specific data
  • Mobile App Security: Standard TOTP/HOTP compatible with major authenticator apps

Technical Specifications

  • TOTP Configuration: 6-digit codes, 30-second windows, SHA-1 algorithm (RFC 6238)
  • HOTP Configuration: 6-digit codes, counter-based, SHA-1 algorithm (RFC 4226)
  • Challenge Format: 8-character hexadecimal strings, 5-minute validity, single-use
  • API Endpoints: 8+ RESTful endpoints for complete authentication lifecycle
  • Database: In-memory user management (extensible to MongoDB, PostgreSQL)
  • Deployment: Vercel-ready, Docker-compatible, environment-based configuration