RS OTP Generator

This project was developed in 2009, as no such readily available mobile and desktop applications existed at that time. It was also educational, since I tried to re-implement it in as many languages as possible, including some esoteric ones. It is now deprecated; while I still religiously use multi-factor authentication whenever possible, I've moved on to more standardized options. This page only exists for archival purposes.

Project summary

An OTP is a password that is only valid once and for a short period of time. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks; which means, if a one-time password was somehow captured by a 3rd party, they won't be able to login, since the password is not valid anymore.

The drawback of such system is that an additional application or device is required to generate OTPs, as human brains can't generate SHA1-HMAC hashes, last time I checked.

I use one-time passwords in addition to regular passwords (see multi-factor authentication) to login to any administrative interfaces or the OpenID server located at rolisoft.net.

My solution

My algorithm is similar to the one described in RFC4226, however the hashed counter and the way the actual password is generated is slightly tweaked.

OTP solutions usually have security token devices. It would be difficult for me to manufacture such a device. Instead, I developed a simple application that runs on my smartphone which is in my pocket all the time.

[Note from 2016 me: I did actually end up implementing the later version of the OTP algorithm on an Arduino in 2015, so in a sense, I did end up "manufacturing such a device".]

Because I use OTPs in a lot of my solutions, due to the variety of languages I write in, the algorithm ended up being implemented in: C#, Java, Python, Perl, PHP, C++, C++/CLI, D), LOLcode and T-SQL. The last three languages weren't actually used, they were just implemented out of boredom.

For fast OTPs on my computer or laptop, I developed a cross-platform application that is able to generate passwords after a simple authentication:

screenshot
Windows 7

screenshot
Windows Server 2008

screenshot
Ubuntu 10.10

screenshot
Mac OS X Leopard

Version 2

The previously detailed and open-sourced solution has been deprecated as of May 30, 2011 in favor of a new, more faster and secure algorithm to generate one-time passwords. This solution will be open-sourced once it will be superseded by better one in the future.

[Note from 2016 me: I currently use Google Authenticator on my phone, and a personal password manager capable of generating OTPs on the desktop.]