How to implement multi factor authentication using a token generator?
There are a lot of existing ones, and they come with their own APIs. You can implement any algorithm you wish. See this site.
Drawing it up from scratch, for disconnected tokens you have a few options. They can be:
- counter-based -- a new password with every press and the authenticating system doesn't allow anything at least as old as the last used password
- time-based -- the algorithm factors in the current time and the server doesn't allow anything other than present, the minute before, and the next minute (or possibly a slightly wider window); requires good time sync
You need to seed an unpredictable sequence based algorithm with a secret shared value and either the time or your counter. hash(time . secret)
or such. Using SHA-256 and chopping off some bits would be effective.
Strength comparisons:
- RSA token -- 8 numeric digits, 108 (one in a hundred million)
- six numeric digits, 106 (one in a million)
- six alpha-numeric, 2.1x109 (one in 2 billion)
- six alpha-numeric, with caps: 5.6x1010 (one in 56 billion)
See also:
- OPIE Authentication System
- S/Key
I'm currently using the Google Authenticator as my OTP token of choice.
If you are new to this, I recommend reading up on the OATH Initiative. This ground has been well paved, good luck!
Some important ancilary design considerations.
Single user or multi-user?
If this is a pet project just for you then a lot of support tasks are easy. However, if this is a multiuser system, then you need to consider more factors.
Unified token or per-person token?
A unified token is a token that provides equivelent authentication for all users. That is even if there are multiple physical devices, any user may use any physical device for authentication. This is convenient for support, but weak for authentication. On the other hand a per-user token may only be used by a specified user. Each user must be uniquely assigned to a different physical token device. If the user looses or damages the device the user must be assigned to a new physical device. Per-user provides stronger authentication, but operational support is more expensive.
Authentication system parameters.
There are some critical parameters such as delay between failed authentication and next authentication prompt. This fail delay helps protect against online attacks where the attacker has obtained the username and password, but does not have a valid token device. Another parameter is the number of failed attempts until the account is temporarily disabled. Adding the the previous setting is the temporary disabled time. That is how long after n failed attempts should the account be temporarily disabled.
Token device protection
Since the token device is an authentication component, the token device will be a tempting target for attackers. If you are thinking of using a mobile phone or smart phone, you need to think about how you will protect the token generating software from attempts to monitor or disrupt it. If your device is a custom device, what communication channels will it have (USB, Ethernet, RS-232) and how will those enable an attacker to analyze or modify the device?