One-time passwords (OTPs) are increasingly being used as a defense against phishing and other types of attacks aimed at stealing login credentials. They’re usually an integral part of the two-factor authentication process — here are some open source alternatives to names like Google Authenticator and Microsoft Authenticator.
L’two-factor authentication (2FA) is a security procedure that requires the user to provide two different authentication factors to access an account or system. One of the most common and secure methods of two-factor authentication is based on the use of one-time passwords, valid for a short period of time, called OTP codes (One-Time Password).
Two-factor authentication based on OTP requires the use of a single-use password generator device, such as a hardware token or a software application (usually installed on a mobile device such as a smartphone but often also available in a version for desktop systems). When the user wants to access an account or system protected with two-factor authentication based on OTP codes, he is asked to login with correct username and password then enter the one-time password generated by the OTP device.
The one-time password is generated using a cryptographic algorithm which uses a secret shared between the OTP device and the authentication system. The one-time password is only valid for a short time (a few seconds) and cannot be reused, making it difficult for attackers to use it to access someone else’s account.
The use of OTP-based two-factor authentication is increasingly common in many contexts, such asaccess to online servicesthe security of financial transactions and access to corporate networks.
Where possible, it is always good to avoid sending OTP codes via SMSsystem now considered unsafe. Sending OTPs via SMS can be subject to eavesdropping and phishing attacks; secondly, sending OTP via SMS may be subject to attacks spoofing, in which hackers send an SMS message that appears to come from the authentication system, but which is not actually created to embarrass users. In another article we explain in detail what SMS spoofing and smishing are.
When it comes to two-factor authentication via OTP we often think of applications such as Google Authenticator or Microsoft Authenticator but it is not essential to rely on proprietary apps: the world open source offers many top-level alternatives. Rather known is for example Authy.
What is TOTP (Time-Based One-Time Password)
In the case of the applications mentioned, however, one should talk about TOTP or the generation of one-time passwords based on time: a special algorithm is used to generate one-time passwords that are valid only for a short period of time. As we explained in the article mentioned at the beginning, to generate the single use codea TOTP algorithm is used which combines a secret with a timestamp (or current time) and returns a 6-digit numeric code that is only valid for a limited amount of time, usually 30 seconds. After this time window, the TOTP application generates a new code, always different from the previous one.
The apps that generate TOTP they can be used to demonstrate possession of the secret at a specific time: they are convenient because they do not require special hardware; any device with a CPU and a properly set clock can generate a valid TOTP code.
Many users look with a bit of reluctance to apps like Google Authenticator e Microsoft Authenticator because they do not trust the proprietary code and are afraid of being in trouble, with the impossibility of accessing the various online accounts, in the event of loss or theft of the device. Google recently enabled the backup of authentication information via TOTP (token) on the cloud but the absence of end-to-end encryption has made many people stand up. So much so that the Mountain View company has decided to quickly take action in this sense and to enable end-to-end encryption also on Authenticator.
OTP apps for two-factor authentication from the open source world: Aegis and FreeOTP+
If you are looking for alternative apps to Authenticators from Google and Microsoft, you can look with confidence at open source offerings like Aegis e FreeOTP+.
Aegis can be downloaded for free and stores the token for generating OTPs accepted on various accounts in one local safe encrypted. The safe can be protected with a password and possibly also with i biometric data such as fingerprint or face recognition. If you forget the password used to defend the contents of the safe Aegisit will not be possible in any way to recover your own token.
The use of the fingerprint sensor significantly speeds up the authentication process although sometimes Aegis still asks to confirm the password: “so you don’t risk forgetting it…”, is the point of view of the authors of the application. Too bad it always happens when you are in a hurry to access a service.
TOTP secrets are strings base32 arbitrary and, therefore, are not very nice to type on a telephone keypad. Fortunately, most services that rely on OTP codes offer the possibility to generate one codice QR containing the secret: Aegis, like other applications of the same category, can use the smartphone camera to read them, acquire the content and quickly configure new accounts among those supported.
By default, Aegis shows a screen with all services already configured by displaying theCurrently valid OTP for each of them. By tapping on a certain service you can copy the OTP code in memory and paste it into a module somewhere else.
Aegis integrates various features forimport and theexport data: the import screen is one of the strengths of the application by supporting a wide range of third-party applications, including Google Authenticator, Microsoft Authenticator and Cisco Duo.
When at export file it is encrypted by default, unless the user overrides a couple of options that are strongly discouraged from using.
Another TOTP app that we highly recommend is called FreeOTP+ and is itself a fork of FreeOTPoriginally released (under the Apache2 license) by Red Hat. At first glance FreeOTP+ appears similar to Aegis, as it presents a single screen that is gradually populated with the accounts added by the user.
Compared to Aegis and other similar solutions, FreeOTP+ it does not display the valid OTP code for a particular account until it is tapped. The application can be set up to request thestartup authentication before providing any code, but this behavior is not enabled by default.
Like Aegis, FreeOTP+ can add TOTP secrets from a QR code to its archive while offering much more limited import and export options. There is also no support for organizing files account in groupswhich Aegis allows.
They are desktop the open source password manager KeePassXC also allows the management of TOTP codes: recently subjected to a audit which had the objective of verifying the security of KeePassXC and with support for passkeys that will be added soon, KeePassXC allows you to enable TOTP simply by going to the section Advance.
Here, typing otpauth://totp/ KeePassXC displays a small clock face which, when clicked, calculates and displays a valid OTP code. The program documentation recommends store TOTP data in a separate database than the one containing the passwords, possibly even on a different device. The reasons for the suggestion are obvious: you should never keep the secret with which the OTP codes are generated next to the login credentials per i vari account.