LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Opensource Android & Blackberry application for OTP authentication

Opensource Android & Blackberry application for OTP authentication

Posted Oct 14, 2010 17:57 UTC (Thu) by gutschke (subscriber, #27910)
Parent article: Fedora accepting YubiKey one-time passwords

Requiring one hardware token per service can get cumbersome quite quickly. Fortunately for Android and Blackberry users, they can instead use the open source Google Authenticator project. This allows the use of a single mobile application for an arbitrary number of OTP enabled services:

http://code.google.com/p/google-authenticator/
market://search?q=pname:com.google.android.apps.authenticator

This is currently supported by (some) Google accounts and is available as a PAM module for use by any PAM-enabled system. That means, Linux users can easily enable OTP support for all their services.

I am the author of the sample PAM module, so feel free to ask questions in this thread.

(Log in to post comments)

Opensource Android & Blackberry application for OTP authentication

Posted Oct 15, 2010 9:49 UTC (Fri) by mfedyk (guest, #55303) [Link]

what keeps one rogue app from compromising the otp key?

Opensource Android & Blackberry application for OTP authentication

Posted Oct 15, 2010 17:13 UTC (Fri) by gutschke (subscriber, #27910) [Link]

Are you worried about rogue applications on Android? If so, that should not be an issue as applications are protected from each other by the Android security model.

You could conceivably have a rogue application that uses a bug in the Android system to elevate privileges. Yes, in that case, all bets are off. But in that scenario an attacker could conceivably do a lot more damage anyway (e.g. use your e-mail account to recover passwords to your bank account). You really are at the mercy of your handset manufacturer to release security updates before this becomes a problem.

And you are at the mercy of your Android market provider (typically Google) to hopefully catch rogue applications early on and to remove them from the market and/or to notify your phone to disable them.

But all of this is clearly outside of the scope of the OTP project.

Or maybe you are worried about rogue applications on the Linux machine having access to your PAM module. Yes, they do. But that's not any different from rogue applications having access to your SSH credentials or being able to install backdoor applications.

Linux is not designed to safely allow execution of arbitrary untrusted code. If an attacker can run arbitrary code as either a user or worse as "root", then they can easily subvert all security for that account.

Sandboxing protects against specific attack vectors (e.g. in hardening browsers against attacks), but sandboxing of arbitrary untrusted binaries is still a largely unsolved problem.

Having said all of this, OTP in general is a good way to introduce a second factor that makes attacks a lot more difficult. But it is never going to be a way to make attacks impossible.

At some point, you have to realize that if a legitimate user can access the system, then a sufficiently motivated and resourceful attacker will also be able to do so. Nothing will ever prevent that. Ultimately, "rubber-hose cryptography" (aka torturing your victim until they agree to log into the system for you) always works.

All we can hope for is making attacks so expensive and difficult that they become unattractive. OTP is a step in this direction.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds