undefined | Better HN

0 pointsicebraining13y ago0 comments

Nope, the solution I posted doesn't use SMS - in fact, it's completely offline. You could have the phone in airplane mode.

It essentially generates a code based on a pre-shared secret and the current time.

As for the costs, as I said there's plenty of free client applications (Google Authenticator is just the most well known), and not only there are plenty of libraries that you can use on your server, as the RFC that details TOTP provides an implementation in less than 50 short lines of code (+ Java boilerplate); see http://tools.ietf.org/html/rfc6238

And you just need that, plus an extra field in your data store for each user (to store the secret) and a textbox in the login page.

0 comments

2 comments · 1 top-level

Spearchucker13y ago· 1 in thread

I've not come across that one before, and... it looks really interesting. I'd argue that it's not completely offline because it requires time-sync, depending on the precision of the client. That assumes the validator is online and can re-sync at any time.

Using a phone is a great solution. Except when the app that requires TOTP authN is also on the phone. That's a shame.

Either way, thanks for positing the link, and clarifying. I learnt something today.

icebrainingOP13y ago

I'd argue that it's not completely offline because it requires time-sync, depending on the precision of the client. That assumes the validator is online and can re-sync at any time.

Well, it uses a 30 second window, so it can cope with small drifts; as long as the phone's RTC isn't broken, you should rarely need to re-sync.

I use it with a J2ME application on a Nokia S60 without an internet plan and it works fine.

j / k navigate · click thread line to collapse