How do I generate One time passwords (OTP / HOTP)?

Question

We have decided to start work on Multi-factor authentication, by way of releasing an iPhone, Android and Blackberry app for our customers.

Think Google Authenticator's one-time password system.

I can get how I could generate a unique string by hashing using a SALT based on the account secret key plus the device serial number (or other unique identifier).

But does anyone have any idea how you could generate a unique, short number, in the way that google does? And/or does anyone have any good links to articles on achieving this kind of thing?

Many thanks

Answer 1

In the end I found that this was very well documented in RFC 4226 and regarding the integer conversion, this can be done using the bitwise operation shown on page 7, essentially it is the same as that shown in the answer below.

There was another post on stackoverflow regarding this in a C# context, which may be worth a read if you are in a similar position.

In C# I basically, hashed a time identifier (i.e. the current time in seconds divided by 30 - to get a long which is valid for the current 30-second interval). Then hashed this using my secret key as the SALT.

And then...

// Use a bitwise operation to get a representative binary code from the hash
// Refer section 5.4 at https://www.rfc-editor.org/rfc/rfc4226#page-7            
int offset = hashBytes[19] & 0xf;
int binaryCode = (hashBytes[offset] & 0x7f) << 24
    | (hashBytes[offset + 1] & 0xff) << 16
    | (hashBytes[offset + 2] & 0xff) << 8
    | (hashBytes[offset + 3] & 0xff);

// Generate the OTP using the binary code. As per RFC 4426 [link above] "Implementations MUST extract a 6-digit code at a minimum 
// and possibly 7 and 8-digit code"
int otp = binaryCode % (int)Math.Pow(10, 6); // where 6 is the password length

return otp.ToString().PadLeft(6, '0');

For those of you who didn't know, Google Authenticator is an open source project - you can browse the source code here.