A fast and easy-to-use time-based one-time password (TOTP) authentication package for your Flutter application. It is compatible with Google Authenticator, 1Password, LastPass, Microsoft Authenticator and various other authenticator apps.

Auth TOTP Banner

Get Started

Create Secret Key

🔑 This method generates a random secret key, which is used to create verify codes from authentication apps.

String secret = AuthTOTP.createSecret(
    length: 16,
    autoPadding: true,
    secretKeyStyle: SecretKeyStyle.upperLowerCase
);

//output :  xHu6 nh7I D8uI s9B1

  • length : The length of the secret to generate. Must be between 16 and 255, Default is 32.

  • autoPadding : If true, it will create a secret with a letter by 4 sections, Default is false.

  • secretKeyStyle : SecretKeyStyle is used to set the case of the secret key. Default is upperCase.

    • enum SecretKeyStyle
      • upperCase : Secret key will be upper case
      • lowerCase : Secret key will be lower case
      • upperLowerCase : Secret key will be upper and lower both case

This method accepts a single parameter to specify the length of the secret key. By default, it generates a 32-character secret key. The length limit is between 16 to 255 characters.

Verify TOTP Code

✔️ This method verifies a Time-based One-Time Password (TOTP) code using the secret key and the TOTP code generated by your authenticator app.

Use this method after the user has scanned a QR code or entered the secret key into the authentication app. The same secret key generated by createSecret and the TOTP code generated by the authenticator app should be passed here to verify.

bool checkOTP = AuthTOTP.verifyCode(
    secretKey: "secret_key_here",
    totpCode: "totp_code_here_by_user",
    interval: 30,
    digits: 6
);
  • secretKey: A secret key generate by createSecret method
  • totpCode: The TOTP code entered by the user.
  • interval: Time interval in seconds, default is 30
  • digits: Length of the TOTP code (6 or 8), default is 6

It will return true if code is correct, otherwise false.

Generate TOTP Code

🚀 This method generates a TOTP code based on the secret key and the time interval. The time interval is specified in seconds.

String generatedTOTPCode = AuthTOTP.generateTOTPCode(
    secretKey: 'secret_key_here',
    interval: 30,
    digits: 6
);
  • secretKey: A secret key generate by createSecret method
  • interval: Time interval in seconds, ex. 30
  • digits: Length of the TOTP code (6 or 8), default is 6

As well as you can use this method to verify TOTP code also.

Example Code:-

String generatedTOTPCode = AuthTOTP.generateTOTPCode(
    secretKey: 'secret_key_here',
    interval: 30
);

String inputedOTP = "otp_inputed_by_user";

if(generatedTOTPCode === inputedOTP){
    print("Verified")
} else {
    print("Not Verified")
}

Get QR Code to Scan

Warning

Privacy Recommendation: We highly recommend using the Offline QR Code Generation (see Advanced Features below) instead of this URL method. getQRCodeUrl relies on a third-party API (api.qrserver.com), which means the secret key is sent over the internet. Generating it offline is much safer.

📸 This method returns a QR code URL to scan with your authenticator app. It can be used in Image.Network()

String qrCodeUrl =  AuthTOTP.getQRCodeUrl(
    appName: "your app name",
    secretKey: "secret_key_here",
    issuer: "auth_totp",
    digits: 6
);

//Image.Network(qrCodeUrl);
  • appName: App name, or any text
  • secretKey: A secret key generate by createSecret method
  • issuer: Issuer name, default is auth_totp
  • digits: Length of the TOTP code (6 or 8), default is 6

Advanced Features

1. SHA-256 and SHA-512 Support

By default, this package uses the standard sha1 algorithm. However, you can change it to sha256 or sha512 for higher security if your authenticator supports it:

String code = AuthTOTP.generateTOTPCode(
    secretKey: 'secret_key_here',
    interval: 30,
    algorithm: OTPAlgorithm.sha256
);

2. HOTP (Counter-Based OTP) Support

In addition to Time-based OTPs, we also support HMAC-based One-Time Passwords (RFC 4226).

String hotpCode = AuthTOTP.generateHOTPCode(
    secretKey: 'secret_key_here',
    counter: 1 // Increases with every generation/verification
);
bool isValid = AuthTOTP.verifyHOTPCode(
    secretKey: 'secret_key_here',
    hotpCode: '123456',
    counter: 1
);

3. Backup / Recovery Codes

You can generate a list of secure, formatted backup codes (e.g. AAAA-BBBB) for your users:

// Generates 10 recovery codes by default
List<String> recoveryCodes = AuthTOTP.generateRecoveryCodes(count: 10, length: 10);
// output: ['Y5T8-2N9L', 'M9P1-3X4C', ...]

4. Parse otpauth:// URIs

If you're building a scanner app or need to extract parameters from a URI:

OTPAuthURI uri = AuthTOTP.parseURI('otpauth://totp/MyApp?secret=JBSWY3DPEHPK3PXP');
print(uri.secret); // JBSWY3DPEHPK3PXP

5. Offline QR Code Generation (Privacy-Focused)

Instead of sending the secret key to an external API (api.qrserver.com), you can safely generate a local QR code matrix utilizing the qr package completely offline.

import 'package:qr/qr.dart';

QrCode matrix = AuthTOTP.generateQRMatrix(
    appName: "your app name",
    secretKey: "secret_key_here",
    issuer: "auth_totp"
);
// You can then draw this matrix to the canvas in your Flutter app!

Tested Authenticator Services

🔐

Logo Service Name Status
Google Authenticator
1Password
LastPass
Microsoft Authenticator

Absolutely, it works with all authenticator apps. But feel free to contribute if you have tested it with any other authenticator app.

Full Example

👉 For a complete example, refer to the Auth TOTP package documentation.

Report bugs or issues

🐛 You are welcome to open a ticket on github if any 🐞 problems arise. New ideas are always welcome.

Copyright © 2024 Rohit Chouhan. Licensed under the MIT LICENSE

Libraries

auth_totp