Project summary
An OTP is a password that is only valid once and for a short period of time. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks; which means, if a one-time password was somehow captured by a 3rd party, he won't be able to login, since the password is not valid anymore.
The drawback of such system is that additional application or device is required to generate OTPs, since human brains can't generate SHA1-HMAC hashes last time I checked.
I use one-time passwords to login to any administration interface or to the OpenID server located at rolisoft.net.
My solution
My algorithm is similar to the one described in RFC4226, however the hashed counter and the way the actual password is generated is different.
OTP solutions usually have security token devices. It would be difficult for me to manufacture such device. Instead, I developed a simple Java applet that runs on my cellphone which is in my pocket every time.
Because I've used OTPs in a lot of my solutions, due to the variety of languages I write in, the algorithm ended up being implemented in: C#, Java, Python, Perl, PHP, C++, C++/CLI, D, LOLcode and T-SQL. The last three languages weren't actually used, they were just implemented out of boredom.
For fast OTPs on my computer or laptop, I developed a cross-platform application that is able to generate passwords after a simple authentication:
 Windows 7 |
 Windows Server 2008 |
 Ubuntu 10.10 |
 Mac OS X Leopard |
Version 2
The previously detailed and open-sourced solution has been deprecated as of May 30, 2011 in favor of a new, more faster and secure algorithm to generate one-time passwords. This solution will be open-sourced once it will be superseded by better one in the future.