Situatie
The OTP is a numeric code that is randomly and uniquely generated during each authentication event. This adds an additional layer of security, as the password generated is fresh set of digits each time an authentication is attempted and it offers the quality of being unpredictable for the next created session.
The two main methods for delivery of the OTP is:
- SMS Based: This is quite straightforward. It is the standard procedure for delivering the OTP via a text message after regular authentication is successful. Here, the OTP is generated on the server side and delivered to the authenticator via text message. It is the most common method of OTP delivery that is encountered across services.
- Application Based: This method of OTP generation is done on the user side using a specific smartphone application that scans a QR code on the screen. The application is responsible for the unique OTP digits. This reduces wait time for the OTP as well as reduces security risk as compared to the SMS based delivery.
Solutie
Pasi de urmat
The most common way for the generation of OTP defined by The Initiative For Open Authentication (OATH) is the Time Based One Time Passwords (TOTP), which is a Time Synchronized OTP. In these OTP systems, time is the cardinal factor to generate the unique password. The password generated is created using the current time and it also factors in a secret key. An example of this OTP generation is the Time Based OTP Algorithm (TOTP) described as follows:
- Backend server generates the secret key
- The server shares secret key with the service generating the OTP
- A hash based message authentication code (HMAC) is generated using the obtained secret key and time. This is done using the cryptographic SHA-1 algorithm. Since both the server and the device requesting the OTP, have access to time, which is obviously dynamic, it is taken as a parameter in the algorithm. Here, the Unix timestamp is considered which is independent of time zone i.e. time is calculated in seconds starting from January First 1970. Let us consider “0215a7d8c15b492e21116482b6d34fc4e1a9f6ba” as the generated string from the HMAC-SHA1 algorithm.
- The code generated is 20 bytes long and is thus truncated to the desired length suitable for the user to enter. Here dynamic truncation is used. For the 20-byte code “0215a7d8c15b492e21116482b6d34fc4e1a9f6ba”, each character occupies 4 bits. The entire string is taken as 20 individual one byte string.
- We look at the last character, here a. The decimal value of which is taken to determine the offset from which to begin truncation. Starting from the offset value, 10 the next 31 bits are read to obtain the string “6482b6d3″. The last thing left to do, is to take our hexadecimal numerical value, and convert it to decimal, which gives 1686288083. All we need now are the last desired length of OTP digits of the obtained decimal string, zero-padded if necessary. This is easily accomplished by taking the decimal string, modulo 10 ^ number of digits required in OTP. We end up with “288083” as our TOTP code.
- A counter is used to keep track of the time elapsed and generate a new code after a set interval of time
- OTP generated is delivered to user by the methods described above.
we’ll create a simple One Time Password (OTP) algorithm using Python’s built-in ‘secrets' module. The OTP algorithm will generate a random one-time password, which will be used as a secure authentication token for a user.
Leave A Comment?