ChapterPDF Available

A Complete One-Time Passwords (OTP) Solution Using Microservices: A Theoretical and Practical Approach

Authors:

Abstract and Figures

The objective of this paper is to share the knowledge required for developing a One-Time Password (OTP) system and the practical experience of developing a real one using microservices and different programming languages, remembering that the OTP is the most popular mechanism to carry out a two-factor authentication process. To achieve this purpose, an incremental iterative methodology was used that allowed the prototype to be implemented in different parts. The developed prototype was designed to work in mobile applications with iOS and Android operating systems. In this work, different types of OTP algorithms were used, such as HMAC-based One-Time Password, Time-based One-Time Password and True Random Number Generator. Additionally, for the development of the prototype, various tools and frameworks such as Flask, React Native and Flutter were used, which allowed the development of application components in an agile and efficient manner. The combination of these programming languages and tools resulted in a more efficient and effective implementation of the OTP generator prototype. Once the proposed system was developed, different types of tests were carried out to verify its optimal and efficient functionality.KeywordsAuthentication processOne-Time PasswordsOTPOTP generatorsTwo-Factor Authentication2FA
Content may be subject to copyright.
A Complete One-Time Passwords (OTP)
Solution Using Microservices: A Theoretical
and Practical Approach
Luis E. Almeida1,2, Brayan A. Fernández1,2 , Daliana Zambrano1,2,
Anthony I. Almachi1,2, Hilton B. Pillajo1,2 , and Sang Guun Yoo1,2,3(B)
1Departamento de Informática y Ciencias de la Computación, Escuela Politécnica Nacional,
Quito, Ecuador
sang.yoo@epn.edu.ec
2Smart Lab, Escuela Politécnica Nacional, Quito, Ecuador
3Departamento de Ciencias de la Computación, Universidad de las Fuerzas Armadas ESPE,
Sangolquí, Ecuador
Abstract. The objective of this paper is to share the knowledge required for
developing a One-Time Password (OTP) system and the practical experience of
developing a real one using microservices and different programming languages,
remembering that the OTP is the most popular mechanism to carry out a two-
factor authentication process. To achieve this purpose, an incremental iterative
methodology was used that allowed the prototype to be implemented in differ-
ent parts. The developed prototype was designed to work in mobile applications
with iOS and Android operating systems. In this work, different types of OTP
algorithms were used, such as HMAC-based One-Time Password, Time-based
One-Time Password and True Random Number Generator. Additionally, for the
development of the prototype, various tools and frameworks such as Flask, React
Native and Flutter were used, which allowed the development of application com-
ponents in an agile and efficient manner. The combination of these programming
languages and tools resulted in a more efficient and effective implementation of
the OTP generator prototype. Once the proposed system was developed, different
types of tests were carried out to verify its optimal and efficient functionality.
Keywords: Authentication process ·One-Time Passwords ·OTP ·OTP
generators ·Two-Factor Authentication ·2FA
1 Introduction
In 1981, Leslie Lamport proposed a secure password authentication method based on
a one-way encryption system [1], which allowed users to submit their password to the
authentication system securely, even if the communication channel was compromised.
This one-way hashing approach is resistant to encrypted password recovery attacks
but has some limitations, e.g., the need to share a secret key between the authentication
system and the user; if an attacker manages to obtain the secret key, he/she can crack the
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023
U. R. Krieger et al. (Eds.): I4CS 2023, CCIS 1876, pp. 68–86, 2023.
https://doi.org/10.1007/978-3-031-40852-6_4
A Complete One-Time Passwords (OTP) Solution Using Microservices 69
stored passwords and compromise the security of a user’s account. Therefore, Lamport’s
method requires careful handling of the secret key to ensure the security of authentication.
Following Lamport’s work, further research in the field of password authentication
continued, and in 1995, a paper detailing an authentication system based on one-time
passwords, called S/Key, was published [2]. S/Key was designed to provide a high level
of security in user authentication. The S/Key system is based on the generation of a
password that can only be used once. The password is generated from a secret key
shared between the user and the server, using a mathematical algorithm. To perform
authentication, the server only needs to know the value of the secret key, since the key
generation is done on the user’s device. However, the security of the S/Key system largely
depends on the security of the secret key shared between the user and the server. If the
key is compromised, the entire security of the system is compromised [2].
In 1998, a one-time password authentication system, known as One-Time Pass-
word (OTP), was introduced to improve user authentication security. This system has
been implemented in various applications, including remote access applications and
authentication of financial transactions. Based on this work, improvements have been
developed such as HMAC-Based One-Time Password (HOTP) [3], which is based on
the Hash-based Message Authentication Code (HMAC) algorithm to generate one-time
passwords.
An improvement to HOTP is Time-Based One-Time Password (TOTP) [4], which
shares the same main idea as HOTP, but uses the current time as input instead of a
counter. Time is divided into fixed intervals that are used as counters to generate one-
time passwords. Each generated password has a limited duration based on the used time
interval. These systems have proven effective in protecting access to online accounts and
preventing brute force attacks. However, it is important that users adequately protect the
secret keys used in password generation and change these keys regularly to maintain an
optimal level of security.
Pseudo-Random Number Generators (PRNG) are algorithms that use a deterministic
formula to generate sequences of numbers that appear to be random [5]. This means that,
with a given initial seed, the results are predictable and repeatable. Normally, developers
needing to generate OTP values make use of PRNG [6]. The problem of PRNG is that
it makes use of deterministic algorithms to generate random numbers, which generates
periodic and predictable values that can be recreated from the initial seed [6].
To solve this problem, Truly Random Number Generators (TRNG) have been devel-
oped, which are based on the entropy of one or several physical sources to generate
numbers without any correlation or dependency [5]. Unlike PRNGs, which have a finite
number of states and whose outputs can be replicated, TRNGs use different sources of
physical entropy to generate bit strings that result in unpredictable values. This makes
it extremely difficult to determine how and from where the bits needed to reproduce the
output of a generated number are obtained [5]. Works such as [7,8] have shown that
TRNGs are much more secure than PRNGs due to their ability to generate truly random
numbers and avoid correlation and dependency of the generated data.
Multi-factor authentication (MFA) is one of several techniques that have been imple-
mented in the field of essential security to prevent unauthorized access to systems,
70 L. E. Almeida et al.
accounts or applications [9]. One of the various ways to apply MFA is the use of one-
time passwords (OTP), which provide a high level of security to the user [10]. By using
an OTP, you ensure that only the legitimate user who owns the corresponding authenti-
cation device can access the protected resource. Furthermore, since the OTP value can
only be used once, the risk of someone intercepting and reusing the OTP value to access
the protected account or system is eliminated [11].
With this background, in this article, the creation of a One-Time Password (OTP)
system prototype for a two-factor authentication system is proposed. The system pro-
poses the implementation of the HOTP and TOTP algorithm and the generation of values
through TRNG, to guarantee a random and safe generation of OTP values.
The proposed authentication system is versatile and allows OTP values to be delivered
to the user in three different ways, i.e., email, displayed on the screen, and through the
Telegram messaging application. The user’s choice determines the way he/she receives
the OTP code and how the OTP code is generated (i.e., generation algorithm).
Likewise, mobile applications have been developed that allow users to enter the OTP
code and validate their access to the account. These mobile apps are secure and allow
users to authorize or deny account access after entering the OTP code. The authentication
system is secure and efficient, ensuring the protection of online users’ personal and
financial information, making it suitable for use in a variety of applications.
The system architecture has been designed using microservices to improve commu-
nication between OTP value generation services and validation services. In addition, the
possibility of adding more OTP value generation options and delivery methods in the
future has been considered.
Using TRNG ensures that the generated OTP values are truly random, making it
more difficult for attackers to guess the OTP code. Implementing multiple OTP delivery
options increases user convenience and reduces reliance on a single communication
channel. Overall, the developed OTP system is secure, easy to use, and scalable for
future enhancements and expansions.
The present work is structured as follows. Section 2presents the previous work
carried out in the field of generating OTP values, as well as the different algorithms and
techniques used. Section 3explains in detail the methodology used in the development of
the work. Section 4presents the proposed work, including the architecture used and the
approach based on increments. Later, the analysis of the tests carried out in the present
work are detailed in Sect. 5. Finally, in Sect. 6, the conclusions of the presented work
are presented.
2 Related Work
Before proceeding to the development of the proposed OTP system, a systematic review
of the literature was carried out, with the aim of fully understanding the available OTP
algorithms, as well as their applications and delivery methods. Through this review, it
was possible to gather relevant and updated information on the different types of OTP,
operation modes, advantages, and disadvantages.
A Complete One-Time Passwords (OTP) Solution Using Microservices 71
2.1 One-Time Passwords Generation Algorithms
There are multiple algorithms proposed for the generation of One-Time Passwords
(OTP). In [12], an innovative model for OTP generation based on the use of a 3 ×
3 Vedic multiplier is presented. In this method, the OTP generation process starts by
getting the client’s login details from the Certification Authority, which are converted
to two 8 bits values. These resulting 16 bits are transformed to decimal using binary to
decimal conversion (CB2D), resulting in two 3-digit decimal digits that are multiplied
together using the 3 ×3 Vedic multiplier, making in this way the OTP code.
It should be noted that the model proposed in [12] presents an important innovation
in the generation of OTPs, since it uses an approach based on an ancestral mathematical
technique to achieve greater security in the generation of one-time passwords. However,
a thorough evaluation of the safety and efficiency of this method is necessary before its
implementation.
Other approach is the one presented in [13]. In this work, a solution is proposed
to overcome the limitations of the finite OTP system proposed by Lamport i.e., the
weaknesses in the length of the finite hash chain, which results in the finite generation
of the OTP. To solve this problem, a new hash chain has been designed that allows
infinite OTP generation without the need for a shared secret between the parties. Unlike
Lamport’s system, the new hash chain is made up of multiple short hash chains.
On the other hand, reference [14] describes an efficient two-factor authentication
scheme based on negative databases (NDBs). This scheme enables the password changes
feature and uses the uncertain properties of negative databases to reduce the frequency of
data updates. Furthermore, the scheme is resistant to most attacks, including password
guessing attacks and man-in-the-middle attacks.
In article [15], an innovative model for the generation of banking OTP is proposed.
This model uses three different inputs that are known by the client, which change ran-
domly, along with an initialization vector (IV), to generate the OTP. The proposed gen-
erator is implemented by an Android-based mobile device and the generated OTP is
encrypted using the AES-256 encryption algorithm. Once the OTP is generated and
encrypted, it is sent to the client through a secure HTTP channel, guaranteeing the pro-
tection of the client’s personal and financial information. This OTP generation model
is highly secure and efficient as it uses multiple inputs to generate the OTP, making it
more difficult to guess or forge.
Additionally, in reference [16], a new two-factor authentication method is presented
i.e., 2D-2FA, which focuses on improving the efficiency and usability of the Two Factor
Authentication (2FA) process. In 2D-2FA, a one-time Personal Identification Number
(PIN) is generated on the secondary factor and transferred directly to the server for
verification. To evaluate the effectiveness and feasibility of 2D-2FA, a comprehensive
security model was defined, and proof of concept was conducted. Additionally, the
effectiveness and usability of 2D-2FA was compared to the PIN-2FA method in an
in-person usability study. The results of the study showed that 2D-2FA offers higher
accuracy and lower delay compared to the PIN-2FA method. It was also found that the
usability and user perception of the efficiency, security and accuracy of 2D-2FA are high
and comparable to those of the well-known PIN-2FA.
72 L. E. Almeida et al.
So far, some interesting proposals have been explained, but they do not maintain a
specific OTP generation standard. Below are other works that are based on a modality
that is more standardized in the generation of OTP codes.
HMAC-Based One-Time Password. HMAC-based One Time Password (HOTP) is a
one-time password generation algorithm based on HMAC [3] which was developed to
enhance security in two-factor authentication and is still widely used as a standard. Unlike
the common OTP which generates a password based on a random value, HOTP uses
a sequence of increasing numbers and employs the HMAC algorithm such as HMAC-
SHA-1 [17].
The implementation of HOTP involves generating a secret key shared between the
authentication server and the user. This key is used for generating OTPs combined with
a counter that increments after each use. Since the password generation process is based
on HMAC, it ensures that the password is unique and cannot be reproduced without the
secret key.
Despite these security measures, HOTP can be vulnerable to brute-force attacks
depending on the applied hash algorithm, e.g., in the case of truncated value by HMAC-
SHA-1. This situation mandates implementing additional security measures on the
authentication server to prevent such attacks.
Time-Based One-Time Password. According to RFC 6238 [4], Time-Based One-
Time Password (TOTP) is an authentication mechanism that uses a unique, one-time
code which is generated using the current time and a secret key shared between the
authentication server and the user’s device or application. TOTP is also a variant of the
HOTP algorithm, but instead of generating the OTP using a counter, it uses the current
time [18].
TOTP is widely used as a two-factor authentication for accessing various systems
and services, such as financial applications or games. TOTP uses the HMAC-SHA-1
algorithm for OTP generation, but other algorithms such as HMAC-SHA-256 or HMAC-
SHA512 can also be used for enhanced security [19]. The interval for generating a new
password is usually set to 30 s, but this value can be adjusted according to the user
or system needs. For TOTP generation, a secret key is generated and shared through a
secure channel between the client side and the server. The current time is obtained and
divided by the time interval to convert it to a string, which is then encoded using a hash
algorithm such as SHA-1 or SHA-256. The last digits of the resulting hash are the OTP
values, which are usually 6 decimal digits.
True Random Number Generator. True Random Number Generator (TRNG) is a
device or program that generates truly random numbers, meaning that those numbers
cannot be predicted or repeated [20]. Unlike pseudo-random number generators, which
use an algorithm to produce a seemingly random sequence of numbers, TRNGs rely on
physical sources of randomness, such as atmospheric noise, thermal noise, radioactivity,
or air turbulence [21].
In terms of software, TRNGs are implemented through algorithms that use sources
of entropy, such as user activity, mouse movement, or time between keystrokes. These
algorithms produce a sequence of truly random numbers that cannot be generated again
[21].
A Complete One-Time Passwords (OTP) Solution Using Microservices 73
TRNGs are very important in cryptographic applications e.g., they are needed to
generate cryptographic keys, for authentication (nonces) and for (OTP) generation. They
are also used in gaming applications, simulations, and software testing, where a reliable
source of randomness is required [22].
3 Methodology
In order to successfully carry out the project, the iterative and incremental development
methodology was selected. This methodology is a set of principles that facilitates project
management and allows for gradual and iterative development until the desired result is
achieved [23]. Figure 1shows the methodology that has been followed for this work, as
well as its different phases.
Fig. 1. Stages and methodologies used in this work
As a result of applying this methodology in the present work, a total of four incre-
ments with four phases each were carried out. During the analysis phase, the operational
characteristics and necessary requirements for the prototype were determined. In the
design phase, the solution to the previously established requirements was defined and its
implementation was planned. During the development phase, the proposed solution was
implemented. Finally, in the testing phase, the implemented solution was evaluated. If
errors were detected, they were addressed in the next increment. The iteration of these
four stages can be seen graphically in Fig. 2.
74 L. E. Almeida et al.
Fig. 2. Increments and phases of the incremental iterative development methodology
4 Proposed Solution
As mentioned previously, the proposed solution was created through increments that
increase the different functionalities of the system. But first, the overall architecture of
the system was defined to properly coordinate each of the increments.
Figure 3shows the architecture of the system, which displays the interaction between
the application’s backend, database, web application, and mobile application. The Back-
end consists of login services, OTP value generation module, OTP sending module, and
OTP validation. The application flow is described below:
Fig. 3. General architecture of the prototype
1. The user enters their credentials (username and password) in the web application to
access the system.
2. The data is sent in encrypted form to the login service, where the existence of the
user is checked. If the user exists, step 3 is executed, otherwise, a guide is displayed
to set up 2FA.
3. Since the user has correctly entered their credentials and set up 2FA, they are informed
that an OTP has been generated and sent, activating the OTP generation and sending
services.
4. Once the user receives the OTP, they must enter the 6-digit string into the application.
At this point, the mobile application interacts only with the validation service, sending
the OTP value along with the necessary data for authentication.
5. If the OTP value is correct, the server grants access to the system.
A Complete One-Time Passwords (OTP) Solution Using Microservices 75
For the first three increments, we focused on the OTP generation services and the
OTP delivery service. In Fig. 4, we can see how the OTP generation algorithms and
delivery methods are associated for each one.
Fig. 4. OTP generation and delivery service
For the fourth increment, the mobile application was developed to connect to the
OTP validation service.
Once the general system architecture was designed, the different increments were
carried out. In the first increment, a requirements analysis was conducted for TRNG-
based OTP generation. Additionally, a microservice-based design was created. In the
second increment, an analysis was performed to define the HMAC-based OTP and its
development in Python. After the design was defined, the algorithm was developed,
and corresponding tests were conducted to validate its proper functioning. In the third
increment, an analysis was conducted on TOTP and its implementation using the Python
PyOTP library. Finally, in the fourth increment, the design and development of the mobile
application were carried out, and respective functionality tests were conducted.
4.1 First Increment
Analysis: The requirements for creating OTP values based on TRNG and transmitting
them through the messaging application Telegram were analyzed. As a result, 5 essential
requirements were identified, which were defined in the form of user stories. These
requirements include: (1) generation of six-digit OTP values; (2) generation of random
values for the authentication process; (3) verification of the authenticity of the OTP for
the current session; (4) ensuring that the OTP is consumed only once; and (5) rejection
of OTP values outside the established time limit.
76 L. E. Almeida et al.
Design: Based on the requirements defined in the previous step, a microservices archi-
tecture was designed (see Fig. 5). These services are responsible for generating OTP
values based on physical entropy sources. The generated values are communicated via
the Telegram messaging application. For this purpose, a bot was implemented which
communicates to the user both the generated value hidden through the Spoiler function,
as well as a message indicating the time and IP from which the login attempt is being
made.
Fig. 5. TRNG Value Generation Service Architecture.
Development: In the first increment, the identified functionalities were developed in
each of the previously selected programming languages for TRNG generation implemen-
tation. The selected languages were Golang, Python, Java, Rust, and C. These languages
were chosen based on the TIOBE index, which is a ranking that measures the popularity
of programming languages. Each of the developed codes was deployed in an indepen-
dent Docker container, and the generated values were communicated through an API
developed in Flask. The generated values were sent to the end-user, and in Fig. 6,ames-
sage can be observed before and after revealing the generated OTP value. The reason
of developing the same functionality in different programming languages was to know
their level randomness when generating the OTP.
Fig. 6. Comparison of the message before and after revealing confidential information.
Test: Different tests were carried out in order to verify the correct functioning of the
main API to generate OTP values. To add an extra layer of randomness when generating
OTP values, it was decided to concatenate the value generated by one service with that
of another, since each one returns values of three digits. Additionally, it was decided to
study the randomness of the values generated by each of the developed services with a
goodness-of-fit test, using the statistical technique known as Chi-squared. The Chi test
A Complete One-Time Passwords (OTP) Solution Using Microservices 77
is commonly used in the analysis of random numbers to verify if the generated sequence
fits a uniform distribution. Based on the test, it was observed that the language that
generated the most random values was C with a test statistic value of 11.67, followed
by Golang with 16.6, Java with 20.44, Rust with 20.65, and finally Python with 24.38.
4.2 Second Increment
The technological stack with which the two-factor authentication system was developed
was defined, which includes NodeJS, Express, PostgreSQL, and Python. The graphical
user interfaces of the web application were developed to allow user interaction. The
graphical user interface enables the user to authenticate themselves using their email
address, password, and the OTP-generated password, which is sent to the user’s email
address to verify their identity.
Additionally, an algorithm for generating one-time passwords using an HMAC cryp-
tographic mechanism was developed, which was created to provide a solution to single-
factor authentication systems. The following requirements [3] were taken into account
to generate this algorithm: (a) generate a shared secret key: this is a character string
shared between the server and the client. It is used to generate HOTP codes; (b) calcu-
late the HOTP code: this is done by using an HMAC hash function and a counter that
is incremented each time a new HOTP code is requested; (c) verify the HOTP code:
the HOTP code is provided to the server, which then uses the shared secret key and the
counter to calculate the expected HOTP code and compare it to the provided code, and if
they match, the request is authenticated. Figure 7shows the process of generating HOTP
One-Time Passwords.
Fig. 7. Password generation process
The algorithm for generating HOTP one-time passwords was developed in the Python
programming language, taking into account the following characteristics:
This algorithm generates 6-decimal digits one-time passwords.
The generated codes are stored in the PosgreSQL database.
The HOTP generator function receives the key and the counter number as parameters,
while the verifier function receives the key, counter number, and generated password
as parameters.
The generator converts the counter value to a hexadecimal value which is then used
along with the secret key for cryptography functions (HMAC, SHA1). The result of
the cryptographic function is truncated to maintain the 6-decimal digits requirement.
The password verifier function verifies if the generated value matches the value sent to
the user. If it is correct, the password and the counter value are validated. Otherwise,
the value is not validated, and the counter value is not increased.
78 L. E. Almeida et al.
The method of delivering the OTP developed in this iteration is the user’s email, as
this delivery method is fast, easy, and cost-effective to use.
Test: The tests carried out in this iteration was the time performance of the HOTP
algorithm. To do this, the time required to generate an OTP code were measured. The
process was repeated several times, and the average times were taken to obtain a better
estimate of the system’s performance.
It is essential to ensure that the HOTP code generation is fast enough to avoid
significant delays in the authentication process for users. The time test of HOTP code
generation is one of the critical tests to guarantee the optimal performance of the two-
factor authentication system. In Table 1, various performed test results are shown. The
average for generating a one-time password OTP was 60,512 ms. All tests performed
were successful, considering that their time to generate and send varied slightly.
Tabl e 1 . Time performance tests
Test Number Generate OTP [ms]
161,92
260,68
358,99
461,02
563,4
657,64
752,93
851,05
981,3
10 56,19
Average 60,512
4.3 Third Increment
Analysis: In the third increment of the project, an analysis of the TOTP generator was
carried out, taking into account the relevant security aspects for its implementation as
indicated in [4]. User stories were also created to identify the key features that the system
must have to ensure the security of users’ accounts. These user stories were a valuable
tool in software development, as they allowed clear and concise definition of user needs
and expectations. Each user story focused on specific user requirements and established
a clear framework for the team in terms of what features should be implemented and
how they should function.
A Complete One-Time Passwords (OTP) Solution Using Microservices 79
Design: For the generation of TOTP values, the PyOTP library of Python has been used.
PyOTP can be used for implementing a two-factor authentication (2FA) or multifactor
authentication (MFA) system in web and mobile applications. PyOTP follows the stan-
dards defined in RFC 4226 [3] and RFC 6238 [4] regarding security aspects for a secure
deployment of the algorithm. The connection with the web application is made through
the Flask API implemented in previous increments.
Development: Once the conditions for time-based OTP generation were defined, the
PyOTP library was implemented. Endpoints in the API were configured and implemented
for consumption by the mobile application to receive OTP values entered by the user,
as well as to send the corresponding response of OTP validation. Once the OTP code
is received, it is verified to match the value generated by the algorithm. If the received
OTP value matches and is within the time limit for input by the client, the validation is
considered as successful; otherwise, it is considered as a failed authentication.
Test: For this increment, correct connection and sending of OTP between a client
through the API developed in Flask and the OTP generator was verified.
4.4 Fourth Increment
Analysis: Taking into account the general architecture of the authentication system
proposed by the authors, the following flowchart was defined to describe the operation
that the mobile prototype must fulfill (see Fig. 8), highlighting as main functions that: the
mobile prototype must allow the user to register a web application, in such a way that the
mobile application can identify the user who wants to authenticate in the different web
applications; the mobile application must send the OTP to the correct web application,
which contains the correct user session, in order to authenticate it.
For the development of the mobile application, a comparative analysis was carried
out among several development frameworks, including Flutter, React Native, Xamarin,
Ionic, and Apache Cordova. Based on the fact that the most popular frameworks in the
last 5 years according to Google Trends are Flutter and React, these tools were selected to
develop the mobile prototypes for the iOS and Android operating systems, respectively.
On the other hand, Firestore was used as the database, which is a No-SQL database
hosted in the cloud and provided by Firebase. This tool was selected because almost any
platform can access this service through an Application Programming Interface (API).
Design: In Figs. 9,10, and 11, reference images of high- and low-fidelity mockups of
the prototype are shown. Low-fidelity mockups are used in early stages of the project,
as they help to quickly test and validate concepts and ideas with low cost and simplic-
ity; while high-fidelity mockups represent a more realistic and detailed version of the
product and are used to conduct design, navigability, and functionality testing prior to
implementation.
Development: When two-factor authentication is activated in the web application, a QR
code is generated that contains crucial information for the mobile application to identify
both the user and the specific web application. This information includes the name and
logo of the web application, the user’s email address, and the API to which the mobile
80 L. E. Almeida et al.
prototype must send the OTP. The following describes the functioning of the mobile
prototype for the web application registration process and the OTP sending process: (1)
The QR code containing information about the web application and the user is displayed
to the user upon completing the double factor authentication activation process, (2) the
user scans this QR code using the mobile application, (3) the mobile application sends
this information to its corresponding database service for storage, (4) the database stores
the record of the web application, (5) the database notifies the mobile application about
the successful registration of the web application, (6) the mobile application displays
the registered web application information on its interface, presenting it in the form of
a list.
Test: In [24], different ways to measure the performance of a software product are
discussed. One of the metrics mentioned in [24], which was applied to the present work,
was the task completion rate for which the software product was designed. This type of
metric has a binary format, as the task is either successfully completed or not; there are
no intermediate points.
Fig. 8. Flowchart of the registration process and use of the mobile application
A Complete One-Time Passwords (OTP) Solution Using Microservices 81
Fig. 9. Low fidelity mockup
Fig. 10. iOS Hifi Mockup
Fig. 11. HiFi Android Mockup
In the case of the mobile application developed in the present work, there are two
main tasks for which it was designed:
82 L. E. Almeida et al.
Registration of the web application: The user should be able to register a web
application in which two-factor authentication has been activated in the mobile
application.
Sending the OTP: Once the user has activated two-factor authentication on the web
application and has successfully registered it in the mobile application, the user
should be able to send the OTP provided by the web application through the mobile
application.
As a result of this test, it was found that out of the 43 test subjects, 4 were not able to
carry out the main activities (registration of the web application and sending the OTP).
This resulted in a success rate of 91% and an error rate of 9%. The reason of the 4
unsuccessful trials were because those users never had used an OTP system and because
the test were carried out without a detailed explanation.
Nielsen’s Usability Heuristics: Nielsen’s 10 heuristics are based on a set of quite broad
usability principles, called “heuristics”, that are evaluated by a group of experts in an early
stage of the prototype. For these tests, a group of 5 experts specialized in mobile appli-
cation development and user interface design was selected, in order to identify usability
issues on the high-fidelity mockup and correct them before implementation. Addition-
ally, the System Usability Scale (SUS) was applied which was created by John Brooke
in 1996. It consists of 10 simple questions that help to understand the usability issues
that users face when using a certain system [25]. After applying the aforementioned
methodologies, the expert group found the following issues:
It was noted that the application registration button, which was initially represented
with a ‘+’ icon, was not clear for the expert group. So, it was decided to replace it
with the “Register” button.
It was suggested that other frequently asked questions should be included to help
the user better understand how the prototype worked. Similarly, this was taken into
account and included both in the design and implementation of the final application.
5 Result Analysis
Once the entire system was developed, some additional tests were performed to verify
the correct functioning of the system. Below are the details of the executed tests.
Firstly, a goodness-of-fit test was performed using the statistical technique known as
Chi-square, denoted by χ^2, which is commonly used in the analysis of random numbers
to verify if the generated sequence fits a uniform distribution. The purpose of applying
this technique was to obtain the test statistic to determine which program from those
displayed in the containers was more random than the others.
Figure 12 shows the histogram of the values generated by a program implemented
in Golang. Based on the observation of the histogram, it can be inferred that the values
generated by the program are uniformly distributed within the allowed range, which
means that each number has the same probability of being generated.
When calculating the test statistic, the values obtained by the programs in different
programming languages can be observed in Table 2, which indicates how random each
program is.
A Complete One-Time Passwords (OTP) Solution Using Microservices 83
Fig. 12. Histogram of the values generated by Golang
Tabl e 2 . Value of the test statistic for each language
Container Value
Golang 16,5702546
Python 24,3894675
Rust 20,6510416
Java 20,4479638
C11,6744907
Other performed test was the connection reliability. The API provides a secure means
of establishing a connection between different services, such as the validation service
and the OTP delivery service. This connection ensures the reliability and protection of
the transmitted data through the implementation of encryption techniques. In this aspect,
different test were executed to validate the correct performing of the APIs developed in
the system.
Additionally, user acceptance tests for different OTP delivery methods were exe-
cuted. As a result of these tests, the delivery method that had the most acceptance was
scanning a QR code containing the OTP information with 65.1%. According to com-
ments made by participants, this was due to the speed at which they could access their
accounts. In second place, the SMS delivery method was chosen by the users with 20.9%.
Some users claimed that this method was the most familiar one, stating that it was the
method used by the banking institution they used. One interesting thing was that no user
selected email as his/her preferred delivery method. According to some comments made
by participants, this delivery method is inefficient as it requires logging into their email
accounts every time they want to authenticate themselves in the applications they want
to access.
84 L. E. Almeida et al.
6 Conclusions
Through this work, a literature study of the OTP-based security system was conducted
which could serve as the theoretical basis for proposing a two-factor authentication
system based on OTP. Based on the accumulated knowledge, an OTP system architecture
was generated using different algorithms such as HOTP and TOTP based on TRNG, and
then, it was implemented.
Once the system was developed, different tests were carried out to verify the security
and functionality of the system. Firstly, statistical tests were performed to evaluate the
randomness of the OTP codes generated by the applications programmed in different
programming languages. The results of these tests are presented in Table 2, which shows
a detailed comparison of the OTP value repetition rates obtained for each programming
language.
It was also verified that the use of privacy functions, such as Telegram’s “Spoiler,
can be a useful measure to guarantee the privacy and confidentiality of transmitted infor-
mation. This tool hides sensitive information, preventing third parties from accessing
it, and only the authorized recipient can discover its content. Additionally, through a
usability analysis conducted on end-users, it was determined that the acceptability per-
centage of the system was 74.3% average. The range of variation between the highest
and lowest acceptability percentages is 9.4%, suggesting that users, regardless of their
technical level, felt largely satisfied with the developed system.
It is important to indicate that the implementation of a second factor of authentica-
tion is a fundamental technique in cybersecurity to ensure the protection of computer
systems. Furthermore, it is crucial to establish strong password policies for users access-
ing systems to avoid possible vulnerabilities in authentication. The combination of both
practices increases the security of the system and minimizes the risk of brute force attacks
that could compromise the integrity of the system’s data.
Acknowledgments. The authors would like to thank to Corporación Ecuatoriana para el Desar-
rollo de la Investigación y Academia - CEDIA for the financial support given to this work through
its Fondo Divulga.
References
1. Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11),
770–772 (1981)
2. Haller, N.: The S/KEY One-Time Password System, RFC1760 (1995)
3. M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: HOTP: an HMAC-Based
One-Time Password Algorithm, RFC4226 (2005)
4. M’Raihi, D., Machani, S., Pei, M., Rydell, J.: TOTP: Time-Based One-Time Password
Algorithm, RFC6238 (2011)
5. Manucom, E. M. M., Gerardo, B. D., Medina, R. P.: Security analysis of improved one-time
pad cryptography using TRNG key generator. In: 2019 IEEE 5th International Conference
on Computer and Communications (ICCC), pp. 1515–1521. IEEE (2019)
6. Ma, S., et al.: An empirical study of SMS one-time password authentication in Android apps.
In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 339–354.
ACM (2019)
A Complete One-Time Passwords (OTP) Solution Using Microservices 85
7. Marghescu, A., Svasta, P., Simion, E.: High speed and secure variable probability Pseudo/True
random number generator using FPGA. In; Proceedings of 2015 IEEE 21st International
Symposium for Design and Technology in Electronic Packaging (SIITME), pp. 323–328.
IEEE (2015)
8. Maksutov, A.A., Goryushkin, P.N., Gerasimov, A.A., Orlov, A.A.: PRNG assessment tests
based on neural networks. In: Proceedings of 2018 IEEE Conference of Russian Young
Researchers in Electrical and Electronic Engineering (EIConRus), pp. 339–341. IEEE (2018)
9. Tirfe, D., Anand, V.K.: A survey on trends of two-factor authentication. Lect. Notes Networks
Syst. 281, 285–296 (2022)
10. Peeters, C., Patton, C., Munyaka, I.N.S., Olszewski, D., Shrimpton, T., Traynor, P.: SMS
OTP security (SOS): hardening SMS-based two factor authentication. In: Proceedings of the
2022 ACM on Asia Conference on Computer and Communications Security, pp. 2–16. ACM
(2022)
11. Sarkunavathi, A., Lingeshkumar, S., Muralidharan, L., Vasudevan, P.: A survey on securing
OTP using steganography technique. J. Emerg. Technol. Innovative Res. 7(3), 1120–1126
(2020)
12. Shyry, S.P., Mahithaasree, M., Saranya, M.: Implementation of one time password by
3 * 3 vedic multiplier. In: Proceedings of 2018 International Conference on Computer,
Communication, and Signal Processing (ICCCSP), pp. 1–5. IEEE (2018)
13. Park, C.-S.: One-time password based on hash chain without shared secret and re-registration.
Comput. Secur. 75, 138–146 (2018)
14. Liu, R., Wang, X., Wang, C.: An efficient two-factor authentication scheme based on negative
databases: experiments and extensions. Appl. Soft Comput. 119, 108558 (2022)
15. Elganzoury, H.S., Abdelhafez, A.A., Hegazy, A.A.: A new secure one-time password algo-
rithm for mobile applications. In: 2018 35th National Radio Science Conference (NRSC),
pp. 249–257. IEEE (2018)
16. Shirvanian, M., Agrawal, S.: 2D-2FA: a new dimension in two-factor authentication. In:
Annual Computer Security Applications Conference, pp. 482–496. ACM (2021)
17. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication,
RFC2104 (1997)
18. Sudar, C., Arjun, S.K., Deepthi, L.R.: Time-based one-time password for Wi-Fi authentication
and security. In: 2017 International Conference on Advances in Computing, Communications
and Informatics (ICACCI), pp. 1212–1216. IEEE (2017)
19. Huseynov, E., Seigneur, J.-M.: Hardware TOTP tokens with time synchronization. In: 2019
IEEE 13th International Conference on Application of Information and Communication
Technologies (AICT), pp. 1–4. IEEE (2019)
20. Yu, F., Li, L., Tang, Q., Cai, S., Song, Y., Xu, Q.: A survey on true random number generators
based on chaos. Discret. Dyn. Nat. Soc. 2019(2545123), 1–10 (2019)
21. Bassham, L., et al.: A Statistical Test Suite for Random and Pseudorandom Number Gener-
ators for Cryptographic Applications: Special Publication (NIST SP). National Institute of
Standards and Technology (2010)
22. Tupparwar, S., Mohankumar, N., A hybrid true random number generator using ring oscillator
and digital clock manager. In; 2021 6th International Conference on Inventive Computation
Technologies (ICICT), pp. 290–294. IEEE (2021)
23. Mitchell, S. M., Seaman, C. B.: A comparison of software cost, duration, and quality for
waterfall vs. iterative and incremental development: a systematic review. In: 2009 3rd Inter-
national Symposium on Empirical Software Engineering and Measurement, pp. 511–515.
IEEE (2009)
86 L. E. Almeida et al.
24. Suzianti, A., Belahakki, A.: Redesigning user interface of MRT Jakarta’s mobile application
using usability testing approach. In: 2020 The 6th International Conference on Industrial and
Business Engineering, pp. 73–78. ACM (2020)
25. Kaya, A., Ozturk, R., Gumussoy, C.A.: Usability Measurement of Mobile Applications with
System Usability Scale (SUS). In: Calisir, F., Cevikcan, E., Akdag, H.C. (eds.) Industrial
Engineering in the Big Data Era. LNMIE, pp. 389–400. Springer, Cham (2019). https://doi.
org/10.1007/978-3-030-03317-0_32
Conference Paper
Full-text available
Although many users nowadays prefer to use mobile applications for TOTP, there are still use cases for separate/isolated standalone hardware TOTP devices. For various technical restrictions, such as the accuracy limits of oscillators used in realtime clock chips, classic TOTP hardware tokens have a natural tendency to introduce time-drift after some period. This paper describes an innovative product allowing to overcome this disadvantage by introducing a new category of programmable TOTP hardware tokens allowing adjusting the system hardware clock
Article
Full-text available
With the rapid development of communication technology and the popularization of network, information security has been highly valued by all walks of life. Random numbers are used in many cryptographic protocols, key management, identity authentication, image encryption, and so on. True random numbers (TRNs) have better randomness and unpredictability in encryption and key than pseudorandom numbers (PRNs). Chaos has good features of sensitive dependence on initial conditions, randomness, periodicity, and reproduction. These demands coincide with the rise of TRNs generating approaches in chaos field. This survey paper intends to provide a systematic review of true random number generators (TRNGs) based on chaos. Firstly, the two kinds of popular chaotic systems for generating TRNs based on chaos, including continuous time chaotic system and discrete time chaotic system are introduced. The main approaches and challenges are exposed to help researchers decide which are the ones that best suit their needs and goals. Then, existing methods are reviewed, highlighting their contributions and their significance in the field. We also devote a part of the paper to review TRNGs based on current-mode chaos for this problem. Finally, quantitative results are given for the described methods in which they were evaluated, following up with a discussion of the results. At last, we point out a set of promising future works and draw our own conclusions about the state of the art of TRNGs based on chaos.
Article
With the rapid development of network communication technology, identity authentication based on smart cards is one of the most common two-factor authentication schemes. In some real-world applications, timeliness is another challenge besides security and privacy because of the frequent logon and logoff or data updating. Presently, two-factor authentication schemes based on elliptic curve cryptography (ECC) are efficient. They are based on asymmetric encryption algorithms. But the time efficiency can be improved by hash-based methods, such as Negative databases (NDB) inspired by the artificial immune system. A one-time password authentication scheme based on NDBs is efficient, but it does not achieve the functions of mutual authentication and password changing, nor resists stolen-verifier attacks. In this paper, we propose an efficient two-factor authentication scheme based on NDBs. With this scheme, the password changing function is achieved, and the properties of uncertain form of negative databases can reduce the frequency of data updating. As the proposed scheme is a hash function based one, it has fewer calculation steps and higher time efficiency, compared with the authentication schemes based on asymmetric encryption algorithms such as ECC. This scheme also resists the majority of attacking behaviors, such as password-guessing attacks and man-in-the-middle attacks. Experimental results verify the time efficiency of this proposed scheme, and its security is analyzed as well.
Conference Paper
A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.