![]() This is a fun way to learn a little about TOTP and see it working against a real Okta organization. On the date and time setting screen, it starts with the last set date and time to make it easier to update. ![]() If so, it goes directly to setting the date and time. The next time you turn on the ArduBoy, it checks to see if a secret has been set. What the application does to mitigate this is use the onboard EEPROM (Electrically Erasable Programmable Read-Only Memory) to (a) save the secret and (b) save the last date and time set. Not so with the ArduBoy! In order to really use this as your go-to TOTP device, you need to keep it on and charge it before it dies. We take this for granted on our computers or mobile devices that either have hardware to keep the clock running, have the ability to automatically set the time over a network on boot or both. ![]() There’s no realtime clock that continues to run when the ArduBoy is off. The biggest challenge is that when you turn off an ArduBoy, it’s really off. This open-source programming platform makes for the perfect vehicle to use the TOTP standard to create a hardware and software based hybrid token for MFA. All this fits into a credit card size form-factor. The ArduBoy project combines an Arduino microprocessor with a monochrome OLED screen and a set of buttons that look suspiciously like a classic Nintendo GameBoy. In this post, I use the shared secret in a less-convenient but fun way, while still keeping the same level of security. Okta Verify uses a QR Code to read in the shared secret when enrolling in MFA. Okta adds an additional level of convenience without sacrificing security by supporting push notifications in the Okta Verify mobile app. They use an algorithm based on a shared secret and a system clock with a high degree of precision. Google Authenticator and Okta Verify are a type of factor called time-based one-time password (TOTP) tokens. ![]() It provides additional security by requiring a second factor after authentication and supports a variety of factor types including SMS, soft tokens like Google Authenticator, hard tokens like Yubikey and the Okta Verify soft token with push notification. Okta has a great multi-factor authentication (MFA) service that you can use right away with a free developer account. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |