HOTP on Android

I have updated the Android mOTP application to support the HOTP algorithm for One-Time Passwords.  This involved implementing HOTP in Java.  This was not such a chore thanks to Java's easy to use security tools.  However, after writing this from scratch, I realized at the end of the RFC was example source code in Java!  I used this reference implementation for the android app.  I did have to make a minor change to the reference implementation to support more than 10 digits of output for the generated password.

After this step was done, all that was required was to add an option to make a profile either a HOTP profile or a mOTP type, edit some database fields, and generate a new layout for the HOTP generation page.  The Mobile-OTP application is translated into three languages, English, Traditional Chinese, and Simplified Chinese.  A goal of mine was to have all additional strings required for this update to also be translated.  I have tried very hard to make this happen.

I also wanted to implement this change in such a way that if a third OTP comes around the corner (S/Key), that change wouldn't be so hard.  I didn't implement any design patterns per the Gang of Four, the code would not require that many modifications to support another algorithm.
Some screenshots for the visual people (often the first thing I look for when evaluating software):


    5 comments:

    Blaine said...

    I love this app on my evo thank you very much for taking the time to publish it! Are there any plans to support freeauth? The only thing holding me back from using freeauth is the lack of android compatible generators.

    Chris Miceli said...

    I have seen freeauth, but was not sure of its popularity. I can probably implement this shortly once I have a few moments.

    melkor said...

    Is there any Linux implementation of HOTP/OTP which your application supports?

    Chris Miceli said...

    @melkor
    One could take the HOTP reference implementation from the standard, but that would not be useful unless it was turned into a login module for RADIUS, PAM, or something of that sort. In that case, I regretfully do not know of an aplication that uses HOTP natively in linux. I wrote the application as a project for a class. I do know that the mOTP algorithm has a RADIUS implementation and can be utilized as a login mechanism in linux, but the algorithm is not as secure as HOTP in my opinion. I believe that google uses TOTP for their one time password system for business partners. I hope this helps.

    melkor said...

    Thanks for the answer Chris! I really appreciate it. I'm currently looking for a HOTP PAM module which can be used with your application so i can secure my SSH sessions. I have tried some Linux HOTP implementations but it seems that i cannot make them work with your Mobile-OTP Android app. I will continue looking and if i find something useful will let you know.