Well the idea itself is not new… but I don’t think anyone has applied it to use in an XOJO app… so my question … is there enough interest to make it worth my while.
The idea itself is not new, as a matter of fact I use something similar to access the security system on my remote access to work.
The app (an XOJO app written by someone other than me), requires secure access… it requests a user id and password (which the app it self validates by what ever means it desires), but it also asks for another code… this code changes every 30 seconds, and would require an app on an iPhone/iPad to supply it. The iphone displays a 6 (or 8) digit number that must be entered into the main app before it expires. So to access the main app, the user would have to know his/her username, their password, and have an iPhone with this new app running on it
If there is enough interest (for a price of course), I would produce an encrypted class to be included in the XOJO project, as well as an iPhone/iPad app (written in SWIFT) to supply the “magic number”.
There are other companies such as Symantec that supply similar programs, and the iPhone/iPad part is FREE, but they charge a fee for the server side…
Well, I was thinking of an “Authenticator”, but not anything specific to the Google etc… I mean what good is basing a security system on open-source code, giving everyone access to the algorithms etc…
Hah! That is an excellent point - the Black Duck people constantly quack on the subject.
More seriously though, very often a product being open source is anything but an open door to compromising it.
Linux is a good example of that- more bugs are found and trounced upon, in less time and with less cost, that a super secure closed source system like z/OS. And z/OS is very secure, not only is RACF hard to get around, but the darn system is really obfuscated to a degree that more or less precludes the average Joe from mocking with it successfully.
Google Authenticator, for example is pretty much “good enough” for average use, IMO. There are, of course, some things I won’t use it for. There are indeed, some things I don’t even allow on the network.
There is a big difference between what I’m thinking and Google Authenticator.
With Google, it sends you an email/text with a code in it… This code is then required to be entered into the system you are attempting to log in to …
That is NOT how what I am proposing would work.
The iPhone component of what I am thinking about, generates a code and displays it on your I device changing it every 30 seconds… The host system internally is also generating a code internally every 30 seconds… those two independently created codes must match to be authenticated. The host and client obviously must both share a pre-registered “private” key, which gives the advantage of extra security in the fact that the private key is “unique” to the host and i device pairing. Where the “public” part of the key is “time”…
The disadvantage (or advantage in some viewpoints), is if I lose, break or otherwise disable my phone, I must reestablish a new public key. Today for the remote work system I access, that requires I contact IT Security Department of the company I work for, and prove to them I am who I say I am.
Google Authenticator doesn’t send you an email. It works like other two-factor authentication devices in that it displays a token on your iPhone screen at set intervals (every 30 seconds I think). If you use bank software that requires two-factor authentication you might be familiar with the workflow; it’s essentially the same as that.
It is being used by some of the big boys, including Slack, Evernote, Dropbox, MailChimp, SalesForce, TeamViewer and of course Google Apps. And these are just the services we use in my company that can be set to use two-factor authentication provided by Google Authenticator. There are many more.
As far as I know, Google Authenticator has always been a TOTP app and I’ve never heard of a time-based authenticator sending an email. How would that even work? It sends you an email with a code and then 30 seconds later it sends you another one ad infinitum? Maybe you’re confusing it with another service?
I have been using two steps authentication from Google for quite a while. You sign in with a password, then Google requests a code. The code is sent through SMS, voice synthesis over the phone, or email. You get only one code.
It looks possible to employ an encryption algorithm based on the current time to come up with the six digits code. Brute force would seem rather difficult to apply to this.
The second step, from Google, can be email, text, or Google Authenticator. They are not all the same thing, just multiple choices. Of which, GA is arguably the most secure.
GA uses TOTP, or a time based authentication code based upon a shared secret. Here is a link to RFC 6238, which details it. SMS authentication can be used to implement it of course. There are still some folks who do nkt hsve smartphones.
@Dave S that’s not Google Authenticator, as @Paul Raulerson has pointed out. You’re confusing Goole’s 2-Step Verification with Google Authenticator which is a TOTP app.
There’s a Google Authenticator sample project at http://www.xdevmag.com/browse/10.4/10407/ - download the zip file at the top of the article and run test bench. The ‘Generate QR code’ bit wasn’t working for me. I used a sample code of 16 ‘a’ characters to make it easier to type; it works like a charm.
I think that there are only a few MBS calls in there. (Searching for ‘MBS’ gives me four mentions.)
The first is a comment and can be ignored.
The second is to do with loading the QR code, which isn’t 100% necessary - people can type in the ID. OK, that’s tedious, and it would be nice to have a QR code, but it’s not essential to the functioning of the project.
The third is generating a UUID to use as a seed; I’d argue that wasn’t strictly necessary - you can use microseconds or something else.
The fourth is probably the hardest to eliminate but it’s still trivial: remove the
Actually, the second is really only replacing chars in the URL string for loading the QR code. The QR code code wasn’t working because it was using POST, and it was returning 411 Length Required; changing the last line of LoadQRCodeFromServer from qrSocket.Post to qrSocket.Get makes the QR code work fine - it loads to screen and I’ve just scanned it into my Google Authenticator app on my phone. Working like a charm.