making security even easier


MOTP vs Google Authenticator and a new OTP App / Updated

Update 11.07.14 - The app is available as a part of Token2 project, check here

 

MOTP vs Google Authenticator

Both MOTP and Google Authenticator are techniques (phone based application and authentication systems/services) to implement strong security via two-factor authentication. Although MOTP exists since 2003, it is obviously less popular than Google Authenticator , which was released not earlier than May 2011- this is when the RFC was filed for the authentication type Google uses for its two factor authentication - RFC6238 . This seems not very fair, as MOTP has the same level of security (see quick analysis here ), however it was originally designed to work on ordinary cell phones (now called "conventional") , therefore it lacks some features, and especially the enrolment process designed to be done in "client-to-server" direction; this means than the unique key (secret) needs to be generated on the device and then entered to the user's profile on the authentication server (Radius, Database or plain config files- there are hundreds server side realizations done for motp).

Comparison

Different from motp, with totp based systems, the key is generated on the server and then shown to the client during the enrolment process, in particular with Google Authenticator the key is shown as a QR code to be scanned by the app, which makes the enrolment process extremely easy. This, in my opinion is the main advantage of Google Authenticator, and this is the reason of such systems to be becoming more popular. However there are some more key factors that are different, as shown in the table below.

  Motp Google Authenticator (totp)
OTP Generation algorithm MD5 based HMAC-SHA-1 based
OTP validity time 10 seconds* 30 seconds*
Additional PIN protection** Yes No
Key generation Client side Server side
Easy enrolment (with QR) No Yes
RFC based No Yes

* OTP regeneration interval on the client, the server side algorithm can be set to accept previous OTPs by adjusting the timestamp used: e.g. a loop from [time ()-300] to [time ()] will accept OTPs generated during an interval of 300 seconds. For example, Google seems to be accepting the current and one previous OTP (at least I saw this behavior on my personal Gmail account, I may be wrong)

** With motp PIN is basically a portion of the key and is stored only on the server. Users only have to remember it and type in the client whenever an OTP is needed. With Google Authenticator’s totp algorithm keys stored both on client and server sides need to be equal. As per comparison table, the advantage of motp based systems would be an additional layer of protection (PIN), although some may regard this as an inconvenience. In the same time, lack of pin code protection (or at least a possibility of having one) is the main shortcoming of Google Authenticator.

Solution(s)

So, I see two different mechanisms and see how they can be improved: MOTP should be enhanced with QR code based enrolment and Google Authenticator should have the pin code protection possibility. In order to keep the compatibility with existing systems, I decided to develop 2 new OTP generators.

Solution #1: MOTP App with QR code enrolment

Nothing complex, however QR code format needs to be standardized. I contacted Matthias Straub, MOTP creator and he agreed with my proposal to use URI format below:

motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY]

Example:

motp://SecureSite:[email protected]?secret=JBSWY3DPEHPK3PXP

Solution #2: TOTP App with PIN code protection

This is a simple task as well: the key will be encrypted with a strong algorithm (AES for example) and stored locally. Before generating OTP codes, user will need to enter the pin code that the key was encrypted with, so the OTP can be correctly generated using the decrypted key.

Solution #3: Token2 OTP

I am using motp a lot, therefore see another little inconvenience: the OTP codes it generate are alphanumeric, which is not fast to enter. So, I “forked” the MOTP project and started a new one, called Token2 (which will be a part of a bigger project later on).

Token2 is an exact copy of MOTP with the only difference: it produces digit-only OTP codes.

Prototype app

I have quickly prototyped an app allowing to achieve all three solutions above. See screenshots below to have an idea on how it works.

I am making the first version for Android available, you can download the apk

This is a prototype only, but I am planning to release a stable app for Android, iOS and WinPhone platforms rather soon.

Main screen

Adding a new profile

Adding new MOTP profile manually (as you can see the old method - generating the key on the client is still possible)

The app automatically sets an icon for a profile if available (key issuer is a part of URI encoded in the QR)

Reviewing profile settings after scanning a QR code (PIN code for TOTP is optional)

OTP Generation for a MOTP Profile

OTP Generation for a TOTP Profile (classic- no pin)
Touching OTP will copy it to clipboard

OTP Generation for a TOTP Profile (with PIN protection enabled)

Settings window

 

 

<< Go back to the previous page


G+ profile


follow me : github, habrahabr , linkedin
Feel free to contact me directly :
emin --at huseynov --dot com

Other projects

Google authenticator for Citrix StoreFront
Google authenticator for Citrix Web Interface 5.4
MOTP App with QR based enrolment


Not security related

ilk10.az