Work

Home | Work | Play | Photos | Contact | About

One-Time Password Proof of Concept

4/11/2014

Home \ Work \ One-time password proof of concept

A one-time password (OTP) is a password that is only valid for a single login session. The benefit of OTP is that it’s not vulnerable to replay attacks. This means that an adversary cannot capture and then reuse a one-time password, since it’s not valid beyond the login session it was used for.

I wanted to try OTP out with Interact. With the exception of YubiKey, third party solutions either seem too weak (SMS text message) or were too expensive (RSA SecureId, Chip & PIN challenge/response), so I built a software-only alternative based on a concept I first saw from GrIDsure. The solution requires the user to select and then memorise a pattern and sequence of squares in a grid:

Register one time password

The user then starts the OTP pad application on (ideally) another device, such as a smartphone. This application displays the same grid, but each square in the grid now contains a number:

One time password pad

The OTP pad application only displays a grid for 30 seconds. If the user hasn’t entered the code within that time, a new one can be requested by clicking the refresh button.

Finally, the user selects the numbers from the squares that correspond to the pattern chosen during registration, and enters them into the OTP field on the login form:

One time password login form

Using the pattern and the grid of numbers shown above, the user would enter 4 1 2 3 1 1.

< Back to Work | ^ Back to top


All content copyright © Michael Wittenburg 1995 to 2020. All rights reserved.
Merch (t-shirts designed by my twin)