Hardware components | ||||||
 |
| × | 1 | |||
 |
| × | 1 | |||
Software apps and online services | ||||||
 |
| |||||
One-time passwords are an alternative to the more common "permanent" passwords. The problem with a "normal" password is that it can be captured during communication, by fake login screens, or by keyloggers. Once a normal password is captured, it can be used until it is changed.
To avoid this "repetition attack", one-time passwords work just once. For each login, a new password is used.
In this project, we build a device that generates HMAC-based one-timepasswords (HOTP), based on a counter and a secret key. The algorithm used is described in RFC 4226, and is the same employed by many sites (like Github) and applications (like Google Authenticator).
The counter is created from the current UTC time. To account for clock variations and user response times, the counter is incremented every 30 seconds. To obtain the counter, we connect to a WiFi network, get the current time using the NTP protocol and divide the current time by 30.
HMACs are normally used to check a text integrity. They generate a value (the hash) from a text and a key. RFC 4226 mandates the use of HMAC-SHA1, resulting in a 160-bit (20 bytes) hash. The input text is the counter, encoded as 8 bytes with the more significant byte first (big-endian). RFC 4226 describes how to extract the password from the hash.
The full details can be seem at https://raspico.blogspot.com/2025/06/building-one-time-password-token.html
Comments