Introducing the “Welcome to Xojo” Bundle!

New to Xojo and looking for guidance? We've put together a terrific bundle to welcome you! Xojo Bundle

This bundle includes six back issues of the magazine -- all of year 21 in printed book and digital formats -- plus a one-year subscription (beginning with 22.1) so you'll be learning all about Xojo for the next year. It's the perfect way to get started programming with Xojo. And you save as much as $35 over the non-bundle price!

This offer is only available for a limited time as supplies are limited, so hurry today and order this special bundle before the offer goes away!

Article Preview

Buy Now

Issue 10.4 ('Extreme Programming')
Instant purchase and download via GumRoad!


HOTP Authentication

Generate one-time passwords with Google Authenticator App and validate them in Real Studio

Issue: 10.4 (May/June 2012)
Author: Mattias Sandström
Author Bio: Mattias is the programming CEO of Tangix Design & Development AB located in Sweden.
Article Description: No description available.
Article Length (in bytes): 21,443
Starting Page Number: 40
Article Number: 10407
Resource File(s):

Download Icon project10407.zip Updated: 2012-05-02 11:36:34

Related Web Link(s):


Excerpt of article text...

I hate static passwords! I cringe when I hear people using the same password for several systems, especially if they are static. In a previous article (RBD 7.5, July/August 2009) I looked at how to implement the Yubikey two-factor authentication that avoids static password but requires some kind of authentication service to be present. In this article I will describe another two-factor authentication system that does not rely on an authentication service but instead can handle the authentication locally.

My personal crusade for non-static passwords continues with a look at how to implement the HMAC-Based One-Time Password algorithm (or HOTP for short) together with the Google Authenticator smartphone app. A typical application for HOTP is for login to systems where authentication above a username and password combination is required, either for security or practical reasons.

Example of one-time-password systems

As an example, imagine a point-of-sales system where, for speed reasons and convenience, a clerk is able to open the register using a simple PIN. A PIN is perfect for the clerk for speed reasons but the PIN can be easily seen and remembered by an unauthorized person. However, the clerk's access level to the system is most likely limited and the PIN can only be used for the daily operations. Let us now add a manager with complete access to the system -- do we want him to access all of the administrative functions just using a simple PIN? The answer is most likely no, and a possible solution would be to let the manager use a static PIN followed by a non-static HOTP -- a basic two-factor authentication solution.

Another example of an HOTP application would be a web-service where we would like to protect the system from unauthorized access using a username and password combination that has been recorded by a malicious person. For convenience (the enemy of security!) the system has been designed to only require an HOTP when the user connects from a new IP-address. By this simple solution, the username and password captured by the malicious person is useless (unless of course the malicious user logins is on the same computer as the legitimate user).

HOTP and Google Authenticator App

...End of Excerpt. Please purchase the magazine to read the full article.