otp - the next generation

[Lukasz Luzar <lluzar () DEVELOPERS OF PL>]

SMSOTP - One-Time Passwords via SMS

Introduction
============

smsotp is an authorization system based on SMS (Short Message
Service). The system is the most reliable way of secure
authorization. It eliminates all disadvantages of a typical
login/password and any other otp implementations.

How does it work ?
==================

When you want to log into the server from an untrusted network,
then you send a SMS message with your real login and password
(e.g. "john 12blah45") in the body of message to the GSM phone
connected to the server. When the server receive a message,
the smsotpd daemon process the request in the following steps:
1.Checks if the user is permitted to authorize from
  the phone number (checks /etc/smsotp.access file),
2.When the user is _not_ permitted to use the smsotp authorization,
  no special actions are performed (except a warning via syslog())
3.Otherwise the daemon do login/password authorization
  and if the authorization is successful then it creates
  a ticket for the user in /var/smsotp directory and save
  there a temporary access code (e.g. "4f21"). Finally, it sends
  the ticket to the user's mobile-phone. Otherwise the user
  receives the message "password incorrect".
4.When the user receive the SMS with the ticket (e.g. "4f21"),
  then he is able to log into the system using that new temporary
  password.

  e.g.
        john@unix:~$ telnet blah
        Trying 127.0.0.1...
        Connected to localhost.
        Escape character is '^]'.

        blah login: john
        Password:            (type here "smsotp")
        Enter smsotp ticket: (type here your temporary ticket e.g. "4f21")

After successful authentication, the ticket is immediatelly removed.

A user has only 45 sec. for the authorization process,
after this time the ticket is automatically removed by smsotpd daemon.

A user can send a request only from the specified phone number, otherwise
the request is _ignored_ .

Platforms and requirements
==========================

The package was tested on a Linux Slackware 7.1 with gnokii-1.3.2 package
and NOKIA 5110 phone connected to the server via special-serial cable.

Integration
===========

Integration process is very easy. When you want to add the smsotp
support to your package, you need to do the following steps:
 - copy the smsotp.c and smsotp.h file into your source tree,
 - add some proper build steps in your Makefile,
 - update your authorization procedure with smsotp_auth() function,
   and add the #include "smsotp.h" entry at the beginning of the file,

Example login(1) patch for Linux Slackware 7.1 is available
at the official website.

It's an early beta version of the package.
So, all comments and bug reports are welcome...:-)

For more information, see:
http://developers.of.pl/projects/smsotp/

Btw. I am looking for an organization/company/agency that would be
     interested in a kind of sponsorship of my security related research
     and/or study at a university in US.

Cheers,

--
Lukasz Luzar
http://developers.of.pl/
Crede, quod habes, et habes