This post originally featured here on the hedgehog lab blog and was written by Ashish Anand.
Ashish is a Backend Developer with 7 years of experience. He is passionate about learning new technologies, always trying to do a lot of new things and occasionally driving himself to do some crazy stuff.
As more and more transactions are being carried out online, growing swathes of personal information – including sensitive financial data – are being sent over networks of varying security, exposing internet users to potential threats from the so-called ‘crackers’.
Indeed, it’s becoming so hard to keep information safe, either in storage or in transit, that breaches are now commonplace, with some of the most seemingly safe databases around the world being compromised. As we move into cloud and open source environments, it’s even more important that people take responsibility for securing both individual and enterprise data – even if it means taking additional steps to do so.
One option for those who wish to stay ahead in the security game is mobile verification – or Second Factor Authentication (2FA) to give it its proper title – which offers an extra layer of security in internet transactions and is bound to become more prevalent with the rise of IoT and mobile technologies.
2FA can come in two forms, the first being HOTP, in which it is employed to approve logins attempted on new devices, as well as all transactions, the second being Time Based One Time Password, or TOTP.
In either case, the ‘second factor’ is generally a mobile device, to which a code will be sent when a login is attempted. This must then be entered into the appropriate field, meaning the user must have the phone on his or her person as well as be able to provide the correct user ID and password.
Implementation on the web interface is completed by mobile app developers in two stages, the first being the normal login process, after which the user is redirected to an OTP page. At the same time, the OTP is sent to the mobile number or email address registered to the account, bringing the 2FA mechanism into play. After accepting the form with the user-provided PIN, the script then checks if this matches with the algorithm.
As an example, consider the following code (here we’re using the Python package ‘pyotp’ but it’s possible to design your own algorithm and implementation):
Step 1: Get pyopt via pip
pip install pyotp
Step 2: Generation and verification using HOTP – HMAC-SHA Based Authentication:
import pyotp def generateHOTP(userid): hotp = pyotp.HOTP('base32secret3232') return hotp.at(userid) def verifyOTP(otp, userid=None): if userid: hotp = pyotp.HOTP('base32secret3232') if hotp.verify(otp, userid): return True else: totp = pyotp.TOTP('base32secret3232') if totp.verify(otp): return True return False
otp = generateHOTP(userid)
If you want to send the generated OTP via email or SMS you need to call your function.
Write his own email/ sms alert implementation.
send_email(email, otp) send_sms(mobile_number, otp) def send_email(email, otp): #write email functionality def send_sms(mobile_number, otp): #write sms functionality
You can create a text input HTML to get the value from the field and verify the entered OTP.
if verifyOTP(otp,userid): # DO your stuff show dashboard else: print 'OTP Error' # return to OTP Page or Login page def generateTOTP(userid, interval): totp = pyotp.TOTP('base32secret3232', interval=300) #interval in seconds return top.now()
Here ‘interval’ is the OTP timeout; after this time the OTP will expire automatically.
No doubt Second Factor Authentication will prove a nuisance now and then; in today’s fast-paced world, every second counts. It is, however, worth noting that we already use other forms of authentication, including barcodes, QR codes, and biometric identification, and with a growing number of ecommerce firms like Amazon and Uber using mobile numbers to enable transactions, mobile verification has become a preferred authentication method.
At hedgehog lab, we would also urge you to look at the whole picture – with increasingly advanced technology generating more and more security risk, surely it’s worth taking a moment to keep your data protected.