When I recently built the current incarnation of my blogging software, I decided against passwords. Passwords are quite ugly things. One of the things that irritates me most is people doing "password protection" on files. Access control lists is much more secure because you can revoke someone's access to a resource without having to spread a new password to other users. So, no passwords.
I've solved this by using OpenID. I can login with any of my fifteen or so OpenIDs to post to my blog. But what about having a two-factor authentication instead? Why not use that gadget I carry around with me called a phone? People carry around these silly-looking RSA SecurID things. But I carry around a phone with me. Why not just generate a hash key on that?
To solve this, I wrote a J2ME midlet called CellFob that generates a new token using SHA-1 every one hundred seconds based on a pre-loaded seed key. I had put this together a while back, but for some reason my old Motorola V3 RAZR just borked on the damn thing, despite it working with the emulators. Then I changed my phone to a Sony-Ericsson W810i, so decided to reload the JAR file. It works great. There's something really cool and magic when one loads one's first J2ME app on to your phone. It makes the whole platform feel so much more open, just like a terminal window does compared to a DOS prompt on modern computers or a BASIC interpreter on old computers like the BBC Micro. Ah, nostalgia.
Anyway, I have implemented it on my blog's management utility. Just took the hashing procedure from my Java client and rewrote it in PHP. Amazingly, it works! This is being used for me as a backup when OpenID fails. Which it does occasionally. Some portable devices don't seem to support some of the major OpenID servers very well.
The whole thing isn't terribly high security, alas. The problems that exist are mainly focused on ensuring that the client and the server are running with times relatively close to one another. When I was first testing it on my laptop, my phone was a few minutes behind my laptop and it wouldn't work. More seriously, there are probable timezone issues. In order to get it to work reliably, one would have to make sure that the client and server are both hashing the same timezones. If one were to try and turn this into a product, setting it to use what it believes to be GMT would solve that problem. Similarly, what with rainbow tables and so on, one should remain cautious about the security of SHA-1. Hashing algorithms are a trade-off between all sorts of difficult factors. I read my Bruce Schneier fanatically, but I'm still not sure that widespread promotion of using SHA-1 tokens is the best way forward. Plus it needs to be easy for the user to revoke 'fob' identification - in case their phone is compromised.
Bug me in real life and I'll show you. I may even record a video of it if you guys want it. And if there's no glaring security problems, I'll release the (alpha-grade) J2ME code. Open source developers should be ripping things like SecurID to shreds and replacing them with a simple two-factor authentication scheme that could be applied by individuals rather than large corporations.
