Dear web2py community, I am interested in using motp (motp.sourceforge.net) / google authenticator (http://code.google.com/p/google-authenticator/) with my web2py apps. Both motp and google authenticator have clients available for every possible platform (android, ios, blackberry, j2me, java, windows phone.. etc)
Integrating an OTP system into web2py will boost the security of web2py further :) .. the implementation needs to be complete (including a user self registration page) Motp looks very simple to implement. the process is : - the user installs the OTP client on their phone - the OTP program is initialized ; this generates a secret key (which is used while the user registers) - The user also has to have a secret pin (this is also given while registration) the time on both the users phone and the server have to be more or less in sync to authenticate the user just enters the secret pin into the OTP program on his phone, a OTP is generated (The method the OTP is generated is simple .. a md5 sum hash of the utc epoch time + secret string + pin is generated) the user then uses the OTP to login .. on the server this OTP is compared against OTP for the users secret string and key for a 2 minute window an example python motp script is located here (http:// motp.sourceforge.net/motp.py) My question is, how can we extend web2py auth to use motp ? my guess is : - need to extend the auth table to store the secret key and the secret pin (encrypting them is a must i guess) .. how can i encrypt them with say AES ..? - then create a custom auth method, which will check the username and the OTP generated by the motp program.. how can i extend auth to do this? - Also how do i extend the user registration page ..? thanks in advance :) .. i would love to learn, develop and contribute this to web2py..
