AuthSelect
is an SQL query that fetches
TOTP token data from the SQL database. AuthSelect
is
expected to return a number of fields that describe the token.
The
following fields are mandatory:
- Field 0 is the HEX encoded secret key for the token
The following fields are optional:
- If field 1 (active) is defined, it must be 1 or other true value,
else the authentication is rejected. Empty and 0 are false.
- Field 2 (pin) is the user's static PIN It will be checked if the
user specifies a static password or if
Require2Factor
is not set to disabled.
- Field 3 (digits) is the number of digits in the user's TOTP code.
If NULL, the value of
DefaultDigits
is be
used.
- Field 4 (bad_logins) counts the number of consecutive
authentication failures. If defined it will be used to detect brute
force attacks and must be updated by UpdateQuery.
- Field 5 (last_time_accessed) is the unix timestamp of the last
authentication attempt. It is used to detect brute force attacks.
- Field 6 is the last TOTP timestep validated, which should be
updated automatically by
UpdateQuery
.
- Optional field 7 (algorithm) is the SHA algorithm which defaults
to SHA-1 if the value is NULL or empty or has an unknown value.
Possible values are
SHA1
, SHA256
and
SHA512
.
- Optional field 8 (timestep) is the user's time step which defaults
to the
TimeStep
configuration parameter if the
value is 0 or NULL.
- Optional field 9 (timestep_ origin) is the Unix epoch time of the
first time step which defaults to
TimeStepOrigin
configuration parameter if the value is NULL.
Current username is available as %0
which is
SQL quoted when used in AuthSelect
and unmodified
when used with AuthSelectParam
.
The default
works with the sample database schema provided in
goodies/totp.sql
. The default is:
select secret, active, pin, digits, bad_logins, unix_timestamp(accessed),
last_timestep from totpkeys where username=%0