One-Time Password - Proof of Concept

4/11/2014

A one-time password (OTP) is a password that is only valid for a single login session. The benefit of OTP is that it’s not vulnerable to replay attacks. This means that an adversary cannot capture and then reuse a one-time password, since it’s not valid beyond the login session it was used for.

I wanted to try OTP out with Interact. With the exception of YubiKey (which I'm looking into), third party solutions either seem too weak (SMS text message) or were too expensive (RSA SecureId, Chip & PIN challenge/response), so I built out a software-only alternative based on a concept I first saw from GrIDsure. The solution requires the user to select and then memorise a pattern and sequence of squares in a grid:

User registration

The user then starts the OTP pad application on (ideally) another device, such as a smartphone. This application displays the same grid, but each square in the grid now contains a number:

User registration

The OTP pad application only displays a grid for 30 seconds. If the user hasn’t entered the code within that time, a new one can be requested by clicking the refresh button.

Finally, the user selects the numbers from the squares that correspond to the pattern chosen during registration, and enters them into the OTP field on the login form:

User login

Using the pattern and the grid of numbers shown above, the user would enter 4 1 2 3 1 1.


Home | Blog | Photos | Contact | About

Wittenburg.co.uk and all content copyright 1995-2018 by Michael Wittenburg, unless otherwise stated.
All content on this site is licensed under the Creative Commons license, unless otherwise stated.

Wittenburg.co.uk uses a single session cookie because it's required by the tech underlying the site (Microsoft ASP.NET). The cookie stores no information and seves no functional purpose.