3 minute silent screencast showing integration with a sample website.
user workflow screenshots.
Add a second factor of authentication to your website for those of your users who have smart phones.
You http-redirect users to us for TOTP authentication and we redirect them back to you when done. Then you can mark their web sessions authenticated.
The client libraries we provide secure this communication.
require "otpc"
class ExampleController < ApplicationController
def dologin
redirect_to(
auth(session,
params[:login],
lambda{|ctrl,userid,result|
if result
ctrl.session["authed"]=userid
else
ctrl.session.delete("authed")
end
ctrl.redirect_to({:action=>"loggedin"})}))
end
...
end
We handle the master key generation and storage, QR code generation and its secure serving and deletion, helping users set up their smart phones, correct brute force rate-limiting, time-tolerances, using secure random numbers, dealing with device loss, and other issues required to do TOTP authentication right.
All of your users who have smart phones already have a TOTP device that can store their keys. Some of them may wish that you offered TOTP authentication so that hackers would be less likely to log in as them.
With TOTP, the one time password is computed independently by the user and the verifier. It doesn't travel over email or SMS.
You needn't share users' actual IDs with us. Any unique handle will do, such as their database primary keys. So we can't log in as them. And in any case, we wouldn't know their passwords, the first factor of authentication.
Our service must never go down and prevent your entire user base from logging into your site.
Authentication only requires looking up a user's master secret in a hash table. We run backup servers that support just this one operation. If the primary ever goes down, the client library tries the backup servers.
The backup servers are hosted in different continents. Their IPs are served up by two DNS servers, also on different continents.
Data at the backup servers lags the primary by only a few seconds.
The http-redirect based communication between us is encrypted (AES-256 nonce-CTR) then MACed to prevent user-tampering and replay attacks.