3.90.1. AuthSelect Previous topic Parent topic Child topic Next topic

AuthSelect is an SQL query that fetches TOTP token data from the SQL database. AuthSelect is expected to return a number of fields that describe the token.
The following fields are mandatory:
  • Field 0 is the HEX encoded secret key for the token
The following fields are optional:
  • If field 1 (active) is defined, it must be 1 or other true value, else the authentication is rejected. Empty and 0 are false.
  • Field 2 (pin) is the user's static PIN It will be checked if the user specifies a static password or if Require2Factor is not set to disabled.
  • Field 3 (digits) is the number of digits in the user's TOTP code. If NULL, the value of DefaultDigits is be used.
  • Field 4 (bad_logins) counts the number of consecutive authentication failures. If defined it will be used to detect brute force attacks and must be updated by UpdateQuery.
  • Field 5 (last_time_accessed) is the unix timestamp of the last authentication attempt. It is used to detect brute force attacks.
  • Field 6 is the last TOTP timestep validated, which should be updated automatically by UpdateQuery.
  • Optional field 7 (algorithm) is the SHA algorithm which defaults to SHA-1 if the value is NULL or empty or has an unknown value. Possible values are SHA1, SHA256 and SHA512.
  • Optional field 8 (timestep) is the user's time step which defaults to the TimeStep configuration parameter if the value is 0 or NULL.
  • Optional field 9 (timestep_ origin) is the Unix epoch time of the first time step which defaults to TimeStepOrigin configuration parameter if the value is NULL.
Current username is available as %0 which is SQL quoted when used in AuthSelect and unmodified when used with AuthSelectParam.
The default works with the sample database schema provided in goodies/totp.sql. The default is:
select secret, active, pin, digits, bad_logins, unix_timestamp(accessed),
last_timestep from totpkeys where username=%0