Update 11.07.14 - The app is available as a part of Token2 project, check here.
MOTP vs Google Authenticator
Both MOTP and Google Authenticator are techniques (phone based application and authentication systems/services) to implement strong security via two-factor authentication. Although MOTP exists since 2003, it is obviously less popular than Google Authenticator , which was released not earlier than May 2011- this is when the RFC was filed for the authentication type Google uses for its two factor authentication - RFC6238 . This seems not very fair, as MOTP has the same level of security (see quick analysis here ), however it was originally designed to work on ordinary cell phones (now called "conventional") , therefore it lacks some features, and especially the enrolment process designed to be done in "client-to-server" direction; this means than the unique key (secret) needs to be generated on the device and then entered to the user's profile on the authentication server (Radius, Database or plain config files- there are hundreds server side realizations done for motp).
Comparison
Different from motp, with totp based systems, the key is generated on the server and then shown to the client during the enrolment process, in particular with Google Authenticator the key is shown as a QR code to be scanned by the app, which makes the enrolment process extremely easy. This, in my opinion is the main advantage of Google Authenticator, and this is the reason of such systems to be becoming more popular. However there are some more key factors that are different, as shown in the table below.
| Motp | Google Authenticator (totp) | |
| OTP Generation algorithm | MD5 based | HMAC-SHA-1 based |
| OTP validity time | 10 seconds* | 30 seconds* |
| Additional PIN protection** | Yes | No |
| Key generation | Client side | Server side |
| Easy enrolment (with QR) | No | Yes |
| RFC based | No | Yes |
* OTP regeneration interval on the client, the server side algorithm can be set to accept previous OTPs by adjusting the timestamp used: e.g. a loop from [time ()-300] to [time ()] will accept OTPs generated during an interval of 300 seconds. For example, Google seems to be accepting the current and one previous OTP (at least I saw this behavior on my personal Gmail account, I may be wrong)
** With motp PIN is basically a portion of the key and is stored only on the server. Users only have to remember it and type in the client whenever an OTP is needed. With Google Authenticator’s totp algorithm keys stored both on client and server sides need to be equal. As per comparison table, the advantage of motp based systems would be an additional layer of protection (PIN), although some may regard this as an inconvenience. In the same time, lack of pin code protection (or at least a possibility of having one) is the main shortcoming of Google Authenticator.
Solution(s)
So, I see two different mechanisms and see how they can be improved: MOTP should be enhanced with QR code based enrolment and Google Authenticator should have the pin code protection possibility. In order to keep the compatibility with existing systems, I decided to develop 2 new OTP generators.
Solution #1: MOTP App with QR code enrolment
Nothing complex, however QR code format needs to be standardized. I contacted Matthias Straub, MOTP creator and he agreed with my proposal to use URI format below:
motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY]
Example:
motp://SecureSite:[email protected]?secret=JBSWY3DPEHPK3PXP
Solution #2: TOTP App with PIN code protection
This is a simple task as well: the key will be encrypted with a strong algorithm (AES for example) and stored locally. Before generating OTP codes, user will need to enter the pin code that the key was encrypted with, so the OTP can be correctly generated using the decrypted key.
Solution #3: Token2 OTP
I am using motp a lot, therefore see another little inconvenience: the OTP codes it generate are alphanumeric, which is not fast to enter. So, I “forked” the MOTP project and started a new one, called Token2 (which will be a part of a bigger project later on).
Token2 is an exact copy of MOTP with the only difference: it produces digit-only OTP codes.
Prototype app
I have quickly prototyped an app allowing to achieve all three solutions above. See screenshots below to have an idea on how it works.
I am making the first version for Android available, you can download the apk.
This is a prototype only, but I am planning to release a stable app for Android, iOS and WinPhone platforms rather soon.
Main screen
Adding a new profile
Adding new MOTP profile manually (as you can see the old method - generating the key on the client is still possible)
The app automatically sets an icon for a profile if available (key issuer is a part of URI encoded in the QR)
Reviewing profile settings after scanning a QR code (PIN code for TOTP is optional)
OTP Generation for a MOTP Profile
OTP Generation for a TOTP Profile (classic- no pin)
Touching OTP will copy it to clipboard
OTP Generation for a TOTP Profile (with PIN protection enabled)
Settings window
