Introducing the OATH Toolkit

I am happy to announce a project that I have been working quietly on for about a year: the OATH Toolkit. OATH stands for Open AuTHentication and is an organization that specify standards around authentication. That is a pretty broad focus, but practically it has translated into work on specifying standards around deploying and using electronic token based user authentication such as the YubiKey.


OATH’s most visible specification has been the HOTP algorithm which is a way to generate event-based one-time passwords from a shared secret using HMAC-SHA1. HOTP has been published through the IETF as RFC 4226. Built on top of HOTP is the time-based variant called TOTP, which requires a clock in the token. OATH do some other work too, like specifying a data format for transferring the token configuration data (e.g., serial number and shared secret) called PSKC.
Continue reading Introducing the OATH Toolkit

My blog uses Yubikey authentication

Thanks to Henrik Schack‘s great work in developing a WordPress Yubikey plugin, I now use two-factor hardware-assisted authentication technology (i.e., the Yubikey) to log in to my blog. Kudos, Henrik!

Since my server still uses php4 (sigh), I had to create a small patch to make it use mhash instead of hash.