Last week I discussed the new API design in Blesta 3.0.  This week I wanted to touch on the topic of two-factor authentication.

Two-factor authentication requires that a user wishing to sign into an account enter both something they know (a username and password) and something they have (a physical token).  There are many different methods of proving a user is who they say they are, but one of the best and easiest to use is one-time passwords.

Since most users reuse and tend to never update their passwords, if one system is compromised an attacker may have access to all systems the user has access to.  To solve this issue, OATH published the HMAC One-Time Password Algorithm (RFC 4226), and the TOTP addendum (a time based OTP algorithm).

TOTP requires that a user enter a 6 or 8 digit code that changes every 30 seconds, and once a code is used it can’t be used again.  All a user needs to do is share the secret key on their TOTP device with the server they want to authenticate with and they’re ready to go.

We were so excited to include TOTP, as well as Mobile-OTP, with Blesta 3.0, we had to port it over to 2.5.  And here at the office, we can’t imagine how we ever lived without it.

For the iPhone we recommend the following apps:

OATH Token – TOTP token

iOTP – Mobile OTP token