Open Source One Time Passwords - A good Idea?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sailing_mad_bob
Forum Newbie
Posts: 2
Joined: Sun Jul 26, 2009 7:53 am

Open Source One Time Passwords - A good Idea?

Post by sailing_mad_bob »

I am trying to get an open source project off the ground for One Time Passwords to provide two factor authentication for sensitive web sites or for admin access to website back end. These are in the form of key fobs with a button and LCD screen on them. Inside they have a real time clock and encryption engine. When you press the button it takes the time and date and encrypts it with the private jey of that fob. This cypher is then typed into a auth page on the server together with the normal username and password.

I want to make an open source version of this with PHP for the server side, so the coder can simply use an OpenOTP.php function something like this;

Code: Select all

 
function OpenOTP($cypher,$private_key,$expected_drift)
{
// authentication code in PHP here
// returns array of;
// ret_array[0] = 0 or 1 success or failure
// ret_array[1] = drift of the key fob clock in secs which can be stored and used in $expected_drift next time
}
 
I was just wondering if anyone has used any of the commercial OTP devices and how that panned out and if they feel that one which can be implemented using an open source php function would be quicker, easier, desirable or non of the above and a bit of a waste of time?

Bob.
Post Reply