A2F using Own Development in NodeJS

A2F: In a previous article, we talked about Swivel as an external tool to integrate our applications into Scriptcase, however, it is likely that it is possible to have a less robust application such as its own development, in this example, an application was developed in NodeJS a system of double authentication where not only can have double authentication through an OTC (On Time Code) (Soft Token) but also with a device (Hard Token), in this case in particular that of the FIDO family of FEITIAN (https: //www.ftsafe.com/products/FIDO). In the case of OTC, this could be generated for example with Google Authenticator.

This document focuses on how Scriptcase uses those services. This implementation, although it was its own, special care was taken in the interfaces, for this reason, they were clearly documented for each of these options, PHP,.Net and Angular.

In the PHP documentation, we were given the following information:



auth2factor PHP Integration SDK


  • sudo apt-get install php5-curl
  • sudo apt-get install composer

Use Firebase JWT to sign HMAC. If you do not use Composer, copy the JWT Firebase libraries to your solution.


Setup hostname, API key, and secret

$HOST = “https://localhost”;

$API_KEY = “…”;

$API_SECRET = “…”;

$a2f_client = new auth2factor($HOST, $API_KEY, $API_SECRET);



Returns a temporary login token. Used to request an OTC/U2F verification.

$tokens = $a2f_client->delegate(“user@me.com”);

$req_token = $tokens[“x-app-sign-request”];

$u2f_req = $tokens[“x-u2f-sign-request”];


Verifies OTC. Returns a bearer token, otherwise false.

$sid = $a2f_client->validate_otc(“…temporary token”, “001122”);


Verifies U2F. Returns a bearer token, otherwise false. Must be called once successfully signed with u2f.sign.

$client_data = “eyJ0eXAiO…”;

$signature_data = “AQAAADUw…”;

$sid = $a2f_client->validate_u2f(“…temporary token”, $client_data, $signature_data);


Requests a U2F challenge to initiate key registration.

$challenge = $a2f_client->request_challenge(“a valid bearer token”);


Registers a U2F security key. Must be called once u2f.register returns successfully.

$client_data = “eyJ0eXAiO…”;

$registration_data = “AQAAADUw…”;

$a2f_client->register_key(“a valid bearer token”, $client_data, $registration_data);

Implementation U2F

FIDO U2F – Enrollment

One time authenticated, the user login in a configuration of the account in the solution and offereted a user enroll a key.


  • Give a U2F challenge: API request_challenge
  • Call a library client u2f.register with a challenge and call request sign
  • If proceed to join the key
  • If stores the successful confirmation in register_key.php: API register_key

FIDO U2F – Authentication

If the user has registered keys in the domain where he was authenticated in the 1st step.


  • Get a set of sign requests
  • Call client library u2f.sign with the sign requests and request sign
  • We proceed to enter the key
  • It is validated in sign_key.php and gets a bearer token: API validate_u2f

Library Javascript para U2F

Include minified library 


<script src=”js/a2f.js”></script>



  • Axios para AJAX / REST axios.min.js
  • Axios config axios-config.js
  • U2F u2f-api.js
  • U2F utils u2f-utils.js

Based on the above, it was analyzed and defined the next Macro Algorithm, so the program should:

  1. Define connection parameters.
  2. With the user logged on the 1st authentication (email), it connects to the server to request a Token.
  3. Upon receipt of the Token, the OTC is requested from the user.
  4. The OTC is sent.
  5. The response is received if the second authentication is authorized or not.
  6. If successful, redirect the application to the Menu.


I wish you served these 3 articles of this interesting topic of 2 Factor Authentication, and whatever the method to use don’t forget to always review the documentation, make tests and finally implement it in Scriptcase.

By ,

April 15, 2019


You might also like…

IaaS, PaaS and SaaS: understanding Cloud Computing types.

Cloud Computing is a factor that has been responsible for causing several important transformations...

COVID-19 Monitoring system with Scriptcase

Check the COVID-19 Monitoring System developed with Scriptcase to monitor the progress of coronavi...

Cloud Computing and its trends for 2020

What is cloud computing? Cloud computing gives us the possibility to offer services through ...

You might also like…

Get new posts, resources, offers and more each week.

We will use the information you provide to update you about our Newsletter and Special Offers. You can unsubscribe any time you want by clinck in a link in the footer of any email you receive from us, or by contacting us at sales@scriptcase.net. Learn more about our Privacy Police.