How it works

You http-redirect users to us for TOTP authentication and we redirect them back to you when done. Then you can mark their web sessions authenticated.

The client libraries we provide secure this communication.

An Example in Ruby

require "otpc" class ExampleController < ApplicationController def dologin redirect_to( auth(session, params[:login], lambda{|ctrl,userid,result| if result ctrl.session["authed"]=userid else ctrl.session.delete("authed") end ctrl.redirect_to({:action=>"loggedin"})})) end ... end

Benefits

We handle the master key generation and storage, QR code generation and its secure serving and deletion, helping users set up their smart phones, correct brute force rate-limiting, time-tolerances, using secure random numbers, dealing with device loss, and other issues required to do TOTP authentication right.

All of your users who have smart phones already have a TOTP device that can store their keys . Some of them may wish that you offered TOTP authentication so that hackers would be less likely to log in as them.

With TOTP, the one time password is computed independently by the user and the verifier. It doesn't travel over email or SMS.

Confidentiality

You needn't share users' actual IDs with us. Any unique handle will do, such as their database primary keys. So we can't log in as them. And in any case, we wouldn't know their passwords, the first factor of authentication.

Reliability

Our service must never go down and prevent your entire user base from logging into your site.

Authentication only requires looking up a user's master secret in a hash table. We run backup servers that support just this one operation. If the primary ever goes down, the client library tries the backup servers.

The backup servers are hosted in different continents. Their IPs are served up by two DNS servers, also on different continents.

Data at the backup servers lags the primary by only a few seconds.

Security

The http-redirect based communication between us is encrypted (AES-256 nonce-CTR) then MACed to prevent user-tampering and replay attacks.