[COLUG] One Time Password Update
Duane
duane at cacert.org
Mon Feb 5 03:25:20 EST 2007
I gave a talk about using One Time Passwords for server authentication
some time back, and more recently it seemed like a perfect fit for
website single sign on of sorts.
Most SSO systems require static info, or some kind of a server/database
to authenticate you, both methods can be used to track your browsing habits.
It seemed to me that all that is needed for secure (and portable)
authentication was something like OTPs, but without the hash being static.
The original java app for phones (http://motp.sf.net) had the code
posted as well, so I fumbled about a bit and managed to hack in the
ability for multiple hashes and you can give each has a meaningful alias.
http://wap.evilbunny.org/mOTP/mOTP.jad
http://wap.evilbunny.org/mOTP/mOTP.jar
For the server side I coded up a PHP/MySQL solution the other day:
http://wiki.cacert.org/wiki/PHP_OTP
While OTPs are good for authentication, session IDs can still be
hijacked and server connections proxied for man in the middle attacks
and OTPs (and virtually every other SSO method) can do nothing to
prevent this.
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
More information about the colug432
mailing list