-
Notifications
You must be signed in to change notification settings - Fork 18
Tokens
Any RFC 4226 compatible one-time password generator from which you can access the token key should work with mod_authn_otp.
Note that the token key is not the same thing as the token ID, which is typically a alphanumeric string like MATM89382348. The token ID is simply a identifier for the token, like a serial number. The token key on the other hand is typically 16 to 20 bytes of random binary data looking something like "f136803ab9c241079ba0cc1b5d02ee7765df3421". This is the actual cryptographic secret on which the security of the token rests. The token key must be provided to you separately and securely by the token vendor.
You will need a token that is not tied to a specific vendor by way of proprietary design or withholding of information. Of course, this means the token must be OATH-compliant. Many vendors do indeed sell "OATH-compliant" tokens, but they require you to also purchase their expensive, proprietary server-side software to use them. They won't give you the token keys unless you do.
For example, Verisign's VIP tokens are popular but are not compatible with mod_authn_otp because it is not possible to extract the token's key.
In any case, do you really think you can trust your security those so-called experts? If you do, you might want to read some of these articles.
Perhaps over time this "stay proprietary" strategy will evolve away, as it has done in so many other technology areas.
In the meantime, when you call a vendor to inquire, tell them that you are using the open-source authentication solution mod_authn_otp and that you require token keys.
- Google Authenticator runs on Andriod, iOS, and Blackberry. Time-based authentication must use 30 second intervals. You can use the included GenOTPURL utility to generate URL's for this app.
- Mobile-OTP on the iPhone is an iPhone app implementing the older Mobile-OTP algorithm.
- Android Token is an OATH token app for Android devices.
- Authenex's A-Key 3600 is compatible and has been successfully tested.
- Gemalto's Ezio time-based tokens should work but have not been tested.
- The YubiKey supports multiple authentication schemes, is OATH compatible, and has been tested.