3 Years ago I worked for a client who made use of the RSA Securid system. I was amazed by it. It seemed to add so much security to the systems I was accessing with it. I even liked watching the numbers turn over on the token feeling like a spy. I looked into setting it up for my own personal servers, and I was disappointed when I found out it was financially restrictive. It also frustrated me that I could not maintain the shared secret myself. Letting RSA authenticate my personal laptop was not going to work for me. Especially when it was disconnected from the internet.
I began to look into other two factor authentication solutions that where free software. And I found a few, Perfect Paper Passwords, being one of the more complete solutions. But carrying a sheet and updating it constantly was not a security token. So I began trying to figure out how the RSA tokens worked. I came up with a way of hashing and rehashing a secret on an arduino and then verifying it on my laptop.
It worked great, but not a real solution as an arduino isn’t battery powered or sits comfortably in your pocket. Tim Heath and I started work on the hardware design two years ago. Neither of us had any experience in electronics so it was pretty surprising when our first board functioned.
In between a few of our prototypes Google Authenticator was published. From that I found out about this rfc4226. It made me feel stupid that I had implemented this part of the protocol from scratch. But happy that it matched an IETF standard.
Below is a prototype of our current working design.
It led to the building of this
Dustin Clark has also built pig client token code for android
pdf describing the protocol in full in this white paper