Mobile One Time Passwords

Mobile-OTP v.1.061

strong, two-factor authentication with mobile phones

Standard phone (J2ME) iPhone Google Android PalmOS Openmoko

SourceForge.net Logo
last update of this site: December 28th, 2009

(2009-12-28): Only three days after my release for Android, there is another one on Android Market supporting multiple profiles (see Links section).
(2009-12-25): Native Android version released due to popular demand. Find it in the Add-Ons section.
(2009-12-25): Minor update to the midlet (now v1.061). Other keys than digits, # and * are ignored (for compatibility with virtual keyboards like on the Nokia N97)
(2009-10-24): It is possible to integrate Mobile-OTP with FreeRADIUS instead of XTRadius (see Installation)
(2009-09-21): A second token client for the iPhone supporting multiple profiles has been released (see Links)
(2009-09-16): Mobile-OTP plug-in for DokuWiki released (see Links)
(2009-08-30): Mobile-OTP ported for PalmOS (see Add-Ons)
(2009-07-30): fix for the php-version of otpverify.sh (see Add-Ons)
(2009-07-26): new server-side implementations in MS-SQL and Perl (see Add-Ons)
(2009-07-02): mod_authn_otp for Apache supports Mobile-OTP (see Links)
(2009-06-11): iPhone token client available in the Links section
(2009-06-01): PHP code to validate Mobile-OTP passwords in PHP directly (see Add-Ons)
(2009-02-07): Mobile-OTP has been ported to Openmoko (see Links)
(2008-11-29): changed otpverify.sh to run with /bin/ksh
(2008-11-09): New version 0.4 of the PAM module in Add-Ons section
(2008-04-14): New version 0.3 of the PAM module in Add-Ons section
(2008-03-03): Added an icon to the MIDlet jar-file
(2008-02-10): How to install the MIDlet over the air (OTA) to your phone in Downloads section
(2007-02-24): New project website on extending and improving Mobile-OTP: www.freeauth.org
(2007-02-24): New PAM module v0.2 in Add-Ons section
(2007-02-07): mOTP+: Advanced Mobile-OTP MIDlet available in Links section (Thanks to Duane from www.cacert.org)
(2006-07-14): Mobile-OTP for BlackBerry handhelds available in Downloads section
(2004-06-16): New token version 1.06 with corrections of text placement on higher resolution displays. No need to upgrade, if lines do not overlap on your phone.
(2004-02-04): Mobile-OTP for Nokia IP Firewalls available in Add-Ons section
(2003-12-15): stand-alone Mobile-OTP PAM module in Add-Ons section

Index

  1. Index
  2. Introduction
  3. Downloads
  4. Installation
  5. FAQ
  6. Limitations
  7. Add-Ons
  8. Links
  9. Email Contact

Introduction

Using static passwords for authentication, as it is commonly done, has quite a few security drawbacks: passwords can be guessed, forgotten, written down and stolen, eavesdropped or deliberately being told to other people.
A better, more secure way of authentication is the so called "two-factor" or "strong authentication" based on one time passwords. Instead of authenticating with a simple password, each user carries a device ("token") to generate passwords that are valid only one time. Commercially available tokens look like pocket calculators or key fobs with a display and a keypad. To generate a one time password, the user has to enter his personal PIN into the device. So the authentication is based on two factors: the token device and a PIN ("something you have and something you know"). This is obviously more secure than just a password, as an attacker needs to get hold of both the PIN as well as the token device. In addition, eavesdropping on a password that is valid only one time, is of no use to the attacker.
On the other hand, the drawback of strong authentication is, that every user has to be provided with a token device. This can be quite expensive. Fortunately mobile phones that are capable of running java applets are becoming more and more widely spread. It stands to reason to use your mobile phone as an authentication token ...

Mobile-OTP is a free "strong authentication" solution for java capable mobile devices like phones or PDAs. The solution is based on time synchronous one time passwords. It consists of a client component (a J2ME MIDlet) and a server component (a unix shell script). The server component can easily be plugged into free RADIUS servers like XTRadius to authenticate users at routers, firewalls, web servers, access points, unix machines, etc.
The shell script should run without modification on any BSD-Unix or Linux. The java MIDlet should be compatible to any java enabled mobile phone (Nokia, Siemens, Motorola, Sony, BlackBerry, etc.).
The MIDlet, server-script and RADIUS server are freely available under the terms of GPL.

How it's done

The MIDlet generates one time passwords by hashing the following data with MD5:
  1. the current epoch-time in a 10 second granularity
  2. the 4-digit PIN that a user enters
  3. a 16-hex-digit secret that has been created when the device was initialized
When entering a PIN, the MIDlet displays the first 6 digits of the MD5-hash. This is the one time password. The password can be verified by the server, as the server also knows the current time, Init-Secret and PIN of the user. To compensate time differences, the server will accept passwords from 3 minutes in the past to 3 minutes in the future. In addition, different time offsets can be specified for each user on the token and/or the server. Each password will be accepted only once. After 8 successive failed authentication attempts a user gets locked out.
Authentication is based on two factors: a PIN known by the user and the Init-Secret stored on the mobile device.

Downloads

On the client side you will need the java MIDlet:

  • Version 1.061: MobileOTP.jar and MobileOTP.jad

    On the server side you will need the shell script:

  • Version 1.04: otpverify.sh.

    You should also download the RADIUS server found at XTRadius (FreeRADIUS is also possible, see below).

    There are also token clients for iPhone and Openmoko in the Links section.

    OTA install

    Just open http://motp.sf.net/MobileOTP.jad in your phone's WAP-browser.

    The MIDlet is also available for direct download at www.getjar.com.
    Just enter 2990 at their WAP-Download-Page.

    Source

    You can also compile the java MIDlet yourself. Here is the source: MobileOTP.java. You will also need the MD5 implementation in java by Santeri Paavolainen MD5.java.

    Installation

    This section describes the installation and configuration of the MIDlet and the server. Installation of the MIDlet is straight forward. Installation of the server takes a little bit more time but can be done in under an hour.

    Client-Installation (token)

    Load the MIDlet on the devices you plan to use. Installation of the .jar and .jad file is vendor specific. Usually java enabled phones come with some kind of application installer for PCs that allows to install MIDlets over IrDA or serial cable.
    When the MIDlet is installed, run it. You can enter PINs to generate one time passwords, but to use them you will need to initialize the device first and write the Init-Secret into the appropriate user-record on the authentication server.
    To initialize the token, press #**#. Enter an arbitrary sequence of 20 keys as a random seed. The Init-Secret that will be shown is not to be written down anywhere else but the server itself. You cannot display it again. If you press #**# any time later, the initialization string will change, i.e. the device will be re-initialized. The initialization of a device should always be done by the administrator of the authentication server, not the user himself. A user does not need to know the Init-Secret.

    Server-Installation (authentication server)

    To install and configure your authentication server, take the following steps:
    1. Copy the otpverify.sh-script to /usr/local/bin and make it executable by chmod'ing it to +x
    2. The script needs to have read/write access rights on /var/motp. Running it as root will make sure of this.
    3. try to run it. It should report: USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset
    4. run it again, this time supplying 5 arguments: otpverify.sh 1 2 3 4 5
      it should return: FAIL
    5. initialize a token. Write down the Init-Secret. Generate a one time password by entering 5555 on the token. Try to verify this password by running "otpverify.sh testuser {password} {Init-Secret} 5555 0"
    6. The script should return "ACCEPT". If it returns "FAIL", the clocks of server and token might differ. Take a look at the FAQ section.
    7. As soon as you successfully authenticated a user, you should continue by installing the XTRadius-server. Keep to the instructions provided at XTRadius.
    8. After the installation of the RADIUS server there are only 4 configuration-files to modify in /etc/raddb
    9. Add a new dictionary file to /etc/raddb. It is called dictionary.motp and contains three new RADIUS-attributes: Secret, PIN and Offset. You can download the file here.
    10. Add a line "$INCLUDE dictionary.motp" to /etc/raddb/dictionary, so that the new dictionary file will be loaded at server start up.
    11. Add 3 macros to /etc/raddb/execparams or replace it by this file.
    12. To create a /etc/raddb/users file containing your users, stick to this sample file: users. You can add further RADIUS attributes to each user entry, of course.
    13. You are all set. Start the RADIUS server in debug-mode (radiusd -sxxy) and test the authentication with the "radtest" client provided with the RADIUS server.
    Thanks to a tip by Piotr Zazakowny it is also possibe to integrate the otpverify.sh-script with FreeRADIUS instead of the (old but working) XTRadius.
    Please take a look at this example user record for the /etc/raddb/users file.

    FAQ

    How to test if authentication works?

    Before including the otpverify.sh-script into the RADIUS server, test it on the command-line:

    1. Make sure that the otpverify.sh-script has read/write-access to /var/motp
    2. Initialize a token by pressing "#**#"
    3. Write down the generated Init-Secret, e.g. 7ac61d4736f51a2b
    4. Generate a one time password by entering a PIN, e.g. PIN=5555, result: af6543
    5. Verify the one time password with the otpverify.sh-script: "otpverify.sh test af6543 7ac61d4736f51a2b 5555 0"
    6. The script should return "ACCEPT". If it returns "FAIL" there might be a time difference between the token and the server. See How to synchronize server clock and token clock?
    7. After successful authentication, try to authenticate with the same OTP again. It should fail, as a lock-file named "af65a3" has been touched in /var/motp/cache

    How to synchronize server clock and token clock?

    Both server and token base their time calculations on the unix epoch time (which is based on UTC), so theoretically any token should be always in sync with the server. Unfortunately some mobile phone devices do not know which time zone they are in, so there might be in fact a difference of several hours between server and token clock.

    To find out the offset between a token and the server, do the following:

    1. Access the "Info"-screen on the token, write down the 9-digit number under "Epoch-Time"
    2. Enter "date +%s" on the server to display the current time in epoch notation. Write down the first 9 digits of the output.
    3. Subtract both values. The result is the offset in 10s of seconds, i.e. an hour would be 360, two hours 720, etc.
    4. The offset has to be configured in the "users" file of the RADIUS server for the specific user (Offset-Attribute).
    5. Since version 1.05 there is the ability to alternatively set the time zone on the token itself as an offset in hours from UTC. So a user traveling to New York City would set the time zone on his Nokia phone to UTC-5 and change it back to UTC+1 when coming back to Berlin. The Offset configured for this user on the RADIUS server would be 0 at all times.
    6. You can verify authentication on the command-line by "otpverify.sh test {OTP} {Init-Secret} {PIN} {offset}"

    How to trouble-shoot authentication on the RADIUS server?

    After configuring the RADIUS server for external authentication through the otpverify.sh-script, you can start the RADIUS server in debug-mode by entering "radiusd -sxxy" and try to authenticate users. Use the "radtest" program for local debugging, that comes with the XTRadius distribution.

    1. If authentication fails with a script-return-code of "1", make sure that PIN, Init-Secret and offset are correct. It is most likely that you have to configure an offset other than "0" for this user. See How to synchronize server clock and token clock? for details.
    2. If the script returns "3", the account of this user has been locked as there have been 8 or more failed authentication attempts by this user. Delete the corresponding file in /var/motp/users to unlock the user account again.
    3. A return code of "4" says that the otpverify.sh-script has not been called with 5 arguments. Check the configuration of the external authentication in the "users"-file of the RADIUS server.
    4. A return code of "5" states that the specified password has already been used. Generate a new one time password and try to authenticate again.
    5. A return code of "6" indicates that you do not have "md5" or "md5sum" installed on your system.
    6. A return code of "7" is returned if the otpverify.sh cannot access the /var/motp directory to write a file.

    Limitations

    The following limitations apply to Mobile-OTP. Not all of them are Mobile-OTP specific but are also inherent to commercial solutions.
    1. PINs and Init-Secrets are stored in clear text on the RADIUS server. It is hence obligatory to keep the server save from unwanted access. This also applies to the log file of the RADIUS server /var/log/radius.log, that can contain authentication data.
    2. Mobile-OTP is based on a function of PIN x Init-Secret —> OTP. It is obvious, that anyone who has access to the Init-Secret and the PIN can authenticate with it. Neither PIN nor Init-Secret nor a thousand known one time passwords alone will let an attacker find both Init-Secret and PIN. If an attacker gains knowledge of either PIN or Init-Secret and one or more one time passwords, this information can be used in a brute-force attack that might be successful. As Mobile-OTP is an open software, there is no way around that. Increasing the number of digits in the PIN (a 16 digit Init-Secret is quite safe) would make a brute-force attack more difficult, but it would be unconvenient for users to remember and type in a 10 digit PIN.
    3. For devices that do not take time zones and daylight-savings-time into account when doing their epoch-time calculations, it might be necessary to manually adjust the Offset-attribute in the user record on the RADIUS server or alternatively one the token itself. For devices that are aware of time zones and daylight-saving-times, server-clock and token-clock should always be in sync.

    Add-Ons

  • Mobile-OTP PAM module

    Sebastian Korff wrote a PAM module for Linux and Solaris that can be used for login authentication locally without a RADIUS server. You do not even need otpverify.sh. The package includes the complete server components. You can download it here. Thanks go to Per Dalgas Jakobsen for contributing to version 0.4 (see CHANGELOG for details).

  • Mobile-OTP PAM module for Nokia IPSO

    Mobile-OTP is also available as a pre-compiled PAM-module for Nokia's IPSO operating system. Download the Nokia package here motp-0.2.tgz. It can be installed with 'newpkg' as any other Nokia package. Configuration can be done through the IPSO web interface Voyager!

  • Alternatives to the otpverify.sh-script

    Ralf Neumann donated a php function to authenticate Mobile-OTP tokens on web servers with PHP.
    Stanislav translated the php-version into Perl.
    And thanks to Brendon D Allen there is also a version as an MS-SQL stored procedure.

    Mind everyone that the Perl and php versions are not complete, as they do not verify if a password has already been used ...
    Thanks to K9Barry who modified the php-version to address this.

  • Mobile-OTP port for PalmOS

    Anthony E provided us with a Mobile-OTP token client for PalmOS.

  • Mobile-OTP port for Google's Android

    After getting quite a lot of requests on this, I just had to write a native version for Android. It is not on the market but you can download it from here (point your phone's browser to http://motp.sf.net/Mobile-OTP.apk)
    To compile it yourself, you will need this source file and the xml-layout.

    You will also find another Mobile-OTP for Android on the market, supporting multiple profiles, that was wrote by Chris and Michael Miceli.

    • Links

  • Mobile-OTP on iPhone - Thomas Lederer wrote a very nice iPhone token client (shake to initialize ...)

  • iOTP - Another version of Mobile-OTP on iPhone, supporting multiple profiles, by Gregor Ruttner

  • mOTP for Android - free Mobile-OTP with multiple profiles for Android on the market, by Miceli Bros.

  • otp4neo - Mobile-OTP compatible client on Openmoko (in python/gtk)

  • mOTP+ - Advanced Mobile-OTP MIDlet, hints and tips on www.freeauth.org
  • XTRadius - Free RADIUS Server with pluggable authentication
  • mod-authn-otp - Apache module for one-time password authentication with Mobile-OTP support
  • login_radius - RADIUS authentication for OpenBSD
  • mod_auth_radius - The RADIUS authentication module for the Apache web server
  • pam_radius_auth - The PAM RADIUS authentication module
  • DokuWiki plug-in - Mobile-OTP plug-in for DokuWiki

    Email Contact

    For comments and suggestions send email to mobile-otp @web.de