Two-factor authentication (authenticating user with something they know AND
something they possess) is becoming more and more popular due to increasing
security requirements and the prevalence of spyware software. However, in open
source projects, solutions such as RSA securID, smartcards, etc. are not always
feasible because of funding, licensing, or other constraints. Here is a
complete, standards-based, open source, no-hardware solution. Here is a PHP
implementation for generating, challenging, and authenticating one-time
passwords according to RFC 2289. (go to
http://www.dcphp.com/Developers/files/otp_pub.zip
to download) Below are two scenarious for OTP use.
Scenario A:
Users across an organization need access to corporate resources at home, on the
road, in airplanes, etc. Users are many (>1000) and geographically
distributed. A user applies for access and is approved. The administrator
prints off a list of one-time passwords and delivers a hard-copy via physical
medium (fax, phone, snail-mail, person-to-person handoff).
Scenario B:
Users self-register for a commercial (or other) website. Once successfully
registered, the user is given the option to generate a list of one-time
passwords and use them for authentication in addition to their
username/password (of course, user can ignore OTP from certain trusted
computers, such as the one they registered from, if they trust it). The user
can generate new OTP's at any time once authenticated.
When the user logs in, they use their username,password, and a
one-time-password (which one depends on which one they are prompted for by the
server). The OTP expires immediately upon authentication. Now, if a hacker
intercepts all three tokens, they are still unable to perform a replay attack
because the third token is already invalidated. Their is a race condition if
they are watching real-time, but this can be accounted for via transaction
locking in the session handling code.
--
the brown cow
--
