Authlogic MOTP

Authlogic MOTP is an extension of the Authlogic library to add Mobile-OTP support.

Helpful links

* Mobile-OTP: motp.sourceforge.net * Authlogic: github.com/binarylogic/authlogic

Requirements

authlogic_motp requires, of course, that authlogic is installed on your server. It also assumes that registration of users (issuing/syncing secrets and PIN codes) will be handled by you.

Install and use

1. Install the Authlogic MOTP gem

$ sudo gem install authlogic_motp

Now add the gem dependency in your config:

Gemfile (Rails 3):
  gem 'authlogic_motp'

config (Rails <3)
  config.gem "authlogic_motp"

2. Make some simple changes to your database:

class AddUsersMotpFields < ActiveRecord::Migration
  def self.up
    add_column :users, :motp_secret, :string
    add_column :users, :motp_pin, :string
    add_column :users, :motp_cache, :string

    change_column :users, :crypted_password, :string, :default => nil, :null => true
    change_column :users, :password_salt, :string, :default => nil, :null => true
  end

  def self.down
    remove_column :users, :motp_secret
    remove_column :users, :motp_pin
    remove_column :users, :motp_cache

    [:crypted_password, :password_salt].each do |field|
      User.all(:conditions => "#{field} is NULL").each { |user| user.update_attribute(field, "") if user.send(field).nil? }
      change_column :users, field, :string, :default => "", :null => false
    end
  end
end

2. Setup your views

authlogic-motp expects the login and password fields in your login form to be named “otp-login” and “otp-password”. The user should enter their usual login value, and then the OTP generated on their device for the password.

3. Issue credentials

Each user will have to be issued a secret (in general a 16 character long HEX string), which they will use to initialize their account on the OTP device, and also a PIN (in general a 4 digit number) used to generate passwords. Some client programs allow the secret to be generated on the device. In this case the user will have to communicate both secret and pin to the administrator for registration. These should be stored in :motp_secret and :motp_pin respectively.

4. Configure Mobile-OTP

Mobile-OTP passwords are by default valid for 3 minutes before and three minutes after they are created, to give users time to enter the OTP into login forms, etc. Authlogic_motp supports the ability to configure the amout in minutes the password is valid. In your session model, set motp_maxperiod to the number of minutes required:

class UserSession < Authlogic::Session::Base
  motp_maxperiod 2
end