One time passwords


In 2009 I thought that it would be great to have an ability to log into TYPO3 using one-time-passwords (OTP) so as to beat any keyloggers if I want to log into the backend from an insecure computer. I researched various systems and decided that RFC 2289 fits the bill because there were existing J2ME calculators that I could use on my Java-enabled phone (the era of smartphones had already started but majority of the phones were still running “dumb” OS with some J2ME apps to make them smarter). However, I realized that there was no generic PHP class developers could use so I decided to write one and started PHP One-Time Passwords project on SourceForge.

So I had the class written and wanted to use it in a TYPO3 extension that I was about to program. First I didn’t have time for it. Later I started looking into the TYPO3’s login handling and realized that the implementation wasn’t going to be easy. Then I didn’t have time for it again. Then I started to think that the whole concept is outdated and that the way to go is to use OpenID and the OTP authentication should be used on the OpenID provider’s side (possibly some self-hosted solution). Long story short, I unfortunately never wrote the extension.

While the SourceForge project kept living (over 3000 downloads till 06/11/2013), it was never widely implemented into publicly available systems. Except for WordPress - Marcel Bokhorst picked up the class not too long after it was created (within the first year I believe) and wrote a WordPress plugin that provides admin/editor login using one-time passwords. Sure I was happy that the class got at least some public real-world usage but as I haven’t been using WordPress myself, it was of no benefit to me. Until now.

I’ve decided to use WordPress for this website because it was basically a ready-made solution for what I needed so why re-invent the wheel. So more than 4 years after I wrote that PHP class, I finally have a chance to use it.

I feel like something has completed, at last.

The picture depicts a “challenge” being offered to the user to log in using an one-time password. In human language that gobbledygook means:

Input an one-time password calculated by using your secret passphrase, 998 as the sequence count, kexorgpc as the seed and MD5 as the hash algorithm.

Note that the count is running backwards – if you initialize the system to use 1000 one-time passwords, the system uses this as a start and every time asks you for a password for -1 sequence until you reach 0 and the system needs to be re-initialized.