Rockbox Development > Feature Ideas

OTP

(1/4) > >>

OTP:
Hi,

First, thanks for all the great work. I am wondering, if rockbox devices could be used for two factor authentication. http://www.mattcutts.com/blog/google-two-step-authentication/ has introduced it and smartphones can double as (semisoft) tokens http://f-droid.org/repository/browse/?fdfilter=otp&fdid=com.google.android.apps.authenticator2. Hardtokens like yubikeys can also be implemented in https://github.com/Yubico/yubico-c software. Many serious sites accept for strong two factor authentication certificates and OTPs along with yubikeys https://login.cern.ch/. There is a long history of using OTPs with mobile devices, like mOTP http://f-droid.org/repository/browse/?fdfilter=otp&fdid=org.cry.otp.

Would it be possible to have rockbox plugins to emulate RFC TOTP and HOTP, along with the widespread mOTP and yubikeys?

Thanks,
Rob

saratoga:
Provided you don't need network access for your authentication I don't see why not.

OTP:
Hi,

No network access is needed. Only the seed needs to be copied (or entered) to the device once, when initializing an account. This is then used to generate one time passwords based on either a monotone increasing counter (HOTP, yubikey)  or a timestamp (TOTP). The disposable passcodes can be read off the display and entered at the inputline on the PC/tablet. The server then evaluates and validates these each time (using the same seed and time/counter position)

MobileOTP can also take a PIN before generating a one time password, which is handy for crude server-client challenge response (the RFC OTP-s and yubikeys can be subject to a certain class of replay attacks, ie. token withholding mitm). mOTP may need a 4 digit input from the user (ie. up/down and left/right, like setting LCD watches -- could be also used to enter the Base32 seed when setting up an account).

more info: http://motp.sourceforge.net/

Perhaps rockbox project itself will find it handy.

torne:
Using Rockbox as an OTP device isn't very secure as we don't have any way to store the seed that prevents it from being trivially copied. Software OTP tokens generally run on systems that can protect application data. Someone having access to your player for a few seconds would be enough to duplicate the seed without you knowing.

monoid:
The seed could be stored encrypted. So, just copying the file with the seed would not harm anyone.

Navigation

[0] Message Index

[#] Next page