If you’re thinking “I’ll just hack together my own 2FA,” pause. That’s like deciding you’ll build your own jet engine because you once flew economy. Crypto is subtle. Mistakes are quiet and expensive. We’ll simulate how TOTP (time-based one-time passwords) and transaction TANs work, entirely for learning. Do not deploy this to production. If you need the real thing, use vetted standards and products, get security reviews, and threat-model properly. We’ll cite standards as we go.
You’ll finish with a runnable Quarkus app that:
Provisions a TOTP secret and renders a scannable QR code.
Verifies a 6-digit code from an authenticator app.
Demonstrates a “TAN-like” HMAC signature bound to transaction details (the idea behind PSD2 “dynamic linking”), purely to show theory. For production, study OCRA, FIDO2/WebAuthn, or vendor SDKs.
Big warning: This project is a learning aid. It intentionally skips critical controls like hardware-backed key storage, phishing resistance, device binding, replay protection, rate limiting, tamper-resistant UX, auditing, and more. Don’t ship this. Use standards and certified components.
Why I am writing this tutorial
You’ll understand the moving parts. TOTP is standardised (RFC 6238) and widely interoperable with authenticator apps. Knowing how it ticks helps with troubleshooting, compliance, and vendor evaluation.
Dynamic linking basics. High-risk transactions often require codes tied to the exact amount and payee. We’ll show the concept using an HMAC over a canonical string, and point you to OCRA/PSD2 for the proper way.
What you’ll build
Find out and make sure to subscribe to The Main Thread
Top comments (0)