![MFCHF](https://mfchf.com/ "MFCHF")

Multi-Factor Credential Hashing Function

![GitHub issues](https://github.com/multifactor/MFCHF/issues)
![Coverage](https://www.mfchf.com/coverage)
![Tests](https://www.mfchf.com/tests/mochawesome.html)
![CC BY-NC-SA 4.0](https://github.com/multifactor/MFCHF/blob/main/LICENSE)
![GitHub tag](https://github.com/multifactor/MFCHF/tags)
![GitHub release](https://github.com/multifactor/MFCHF/releases)
![NPM release](https://www.npmjs.com/package/mfchf)

Site |
Docs |
Contributing |
Security |
Multifactor |
Paper |
Author

Since the introduction of bcrypt in 1999, adaptive password hashing functions, whereby brute-force resistance increases symmetrically with computational difficulty for legitimate users, have been our most powerful post-breach countermeasure against credential disclosure. Unfortunately, the relatively low tolerance of users to added latency places an upper bound on the deployment of this technique in most applications. In this paper, we present a multi-factor credential hashing function (MFCHF) that incorporates the additional entropy of multi-factor authentication into password hashes to provide asymmetric resistance to brute-force attacks. MFCHF provides full backward compatibility with existing authentication software (e.g., Google Authenticator) and hardware (e.g., YubiKeys), with support for common usability features like factor recovery. The result is a 10 6 to 10 48 times increase in the difficulty of cracking hashed credentials, with little added latency or usability impact.

Installation

There are three ways to add mfchf.js to your project: self-hosted, using a CDN, or using NPM (recommended).

$3

First download the latest release on GitHub, then add mfchf.js or mfchf.min.js to your page like so:

$3

You can automatically include the latest version of mfchf.min.js in your page like so:

Note that this may automatically update to include breaking changes in the future. Therefore, it is recommended that you get the latest single-version tag with SRI from jsDelivr instead.

$3

Add MFCHF to your NPM project:

npm install mfchf

Require MFCHF like so:

const mfchf = require('mfchf');

Usage

$3



// Setup MFCHF-HOTP6 hash

const { hash, secret } = await mfchf.hotp6.setup('password123')



// Verify MFCHF-HOTP6 hash

const otp = parseInt(hotp({ secret, counter: 1 }))

const result = await mfchf.hotp6.verify(hash, 'password123', otp)

result.valid.should.be.true

$3



// Setup MFCHF-TOTP6 hash

const { hash, secret } = await mfchf.totp6.setup('password123')



// Verify MFCHF-TOTP6 hash

const otp = parseInt(speakeasy.totp({ secret }))

const result = await mfchf.totp6.verify(hash, 'password123', otp)

result.valid.should.be.true

Usage

// Setup MFCHF-HOTP6 hash
const { hash, secret } = await mfchf.hotp6.setup('password123')

// Verify MFCHF-HOTP6 hash
const otp = parseInt(hotp({ secret, counter: 1 }))
const result = await mfchf.hotp6.verify(hash, 'password123', otp)
result.valid.should.be.true

$3

// Setup MFCHF-TOTP6 hash
const { hash, secret } = await mfchf.totp6.setup('password123')

// Verify MFCHF-TOTP6 hash
const otp = parseInt(speakeasy.totp({ secret }))
const result = await mfchf.totp6.verify(hash, 'password123', otp)
result.valid.should.be.true

BSD-3-Clause-Clear