5 comments

[ 5.4 ms ] story [ 23.7 ms ] thread
This would be a great feature in a lot of web-based apps. Generate a few hundred passwords when you are on a secure connection, use them when needed.

Edit: I found a few implementations.

http://wordpress.org/extend/plugins/one-time-password/

http://alexking.org/blog/2008/06/27/phonefactor-10

http://henrik.schack.dk/yubikey-plugin/

http://blog.fastmail.fm/2008/07/21/one-time-and-sms-password...

http://squirrelmail.org/plugin_view.php?id=276

Yubikey looks interesting and they also have a web service API.

http://www.yubico.com/products/yubikey/ http://www.yubico.com/developers/api/

MyPW is another web service: https://www.mypw.com/

OpenOTP supports both hardware tokens (also supports Yubikeys) and all kinds of phones.

http://www.rcdevs.com/products/openotp/

So this is basically solve the same problems as http://en.wikipedia.org/wiki/SecurID, but using a paper sheet instead of a hardware/software generated key?
They are similar, but each has its advantages and disadvantages. According to the OTPW site:

"Admittedly, the security obtained by OTPW is not comparable with that of a challenge-response system in which the user has a PIN protected special calculator that generates the response. On the other hand, a piece of paper is much more portable, much more robust, and much cheaper than a special calculator. OTPW was designed for the large user base, for which an extra battery-powered device is inconvenient or not cost effective and who therefore still use normal Unix passwords everywhere."