You probably use an “authenticator app” such as Google Authenticator to enable two-step verification (sometimes called two-factor authentication, 2FA, or multi-factor authentication, MFA) for an online account. The method is called Time-Based One-Time Password Algorithm (TOTP) and is standardized in RFC 6238. In October 2017 when I evaluated HashiCorp Vault for generating and storing TOTP secrets for a system at work I realized that the Android version and iOS version of Google Authenticator differed a lot when it comes to which modes are supported.

TL;DR: This post has a lot of details. Skip to the Summary if you know the challenge and are here just for the solution. Door icon made by Freepik from www.flaticon.com is licensed by CC 3.0 BY. Between Christmas and New Year’s I attended the 35th Chaos Communication Congress (CCC), 35C3, in Leipzig, Germany, together with Malmö based Xil hackerspace. It was my third congress (in a row). Since 2012 there has been a Capture The Flag (CTF) competition at congress.

Inpired by Hackeriet’s blog where Alexander Kjäll use to post CTF write-ups, I’ve decided to create a personal one for myself. Focus will be on IT security. Hackeriet’s blog is powered by Jekyll which is a static site generator written in Ruby. See their post Creating a fast blog for how they set up their blog. I have decided to try another static site generator called Hugo, which is written in Go.