Authentication Security

Securing websites and web apps with one-time passwords

As we all hopefully know by now passwords on their own do not provide strong authentication. One of the ways to provide strong authentication, especially for publicly accessible services, is by using one-time passwords in addition to regular passwords. Thankfully an industry standard for one-time passwords exists and is becoming widely implemented on both servers as well as clients.

Google Authenticator is an example of a free one-time password software token app (available on both Android and iOS) which can be used not only for Google services but also Amazon Web Services and any other service that implements RFC 4226 or RFC 6238. But how do you go about implementing one-time passwords on the server side? If you are using Apache you can use mod_authn_otp, which is a free module for the Apache web server that implements one-time password functionality. It creates a simple way to protect websites and Web applications with one-time passwords, using any RFC 4226-compliant token device, including software tokens, it also supports the Mobile-OTP algorithm. Using another tool provided with mod_authn_otp, otptool, you can also integrate one-time passwords into other applications.