GoogleMSCAuthenticator
In this press release, Google announced a new two-step verification using one-time passwords. The Google Authenticator is an application for mobile phones that allows Gmail users to use this two-step verification to log in using their mobile phones.
Seeing as Android supports smartcards such as the Mobile Security Card through the SmartcardAPI, an application similar to the Google Authenticator would be useful that generates the one-time passwords on a smartcard using a JavaCard applet. A simple application that generates OTPs was developed and uploaded to the seek-for-android project a while ago. (See OTPAuthenticator)
However, this version was not compatible to the Google OTP verification, it supported neither time-based OTPs nor the automatic personalisation through QR codes. Therefore, a new application, the Google MSC Authenticator, based on the original OTPAuthenticator, was developed. It is to be regarded as merely a proof of concept for the time being and is only to be used for the purpose of testing.
OATH is a common standard for OTP password generation defined in RFC 4226. The OTP is unique for each user that personalized the calculation with a unique seed. A counter value is incremented after each calculation (event based OTP) or valid for a specific time (time based OTP).
An OATH calculation in software is possible but discouraged as the seed could get lost or tampered after flashing or rooting the phone. For this purpose the OATH calculation takes place in the Mobile Security Card where the private seed is kept secure in the OtpAuthenticator applet.
If you wish to test the Google MSC Authenticator, you will require:
- An Android phone with smartcard support and a Mobile Security Card (see BuildingTheSystem)
- A Gmail OTP account
- A way to install applets on a JavaCard
The Android application is for demonstration and test purposes only. Do not use in production environments!
- Download the installation files from the Download page
- Install the
oath.capfile on the Mobile Security Card with JLoad or other Java Card compliant Global Platform loader tools.
Note: JLoad is included in the Mobile Security Developer's Kit - Install with
OtpAuthenticator.apkon your Android device equipped with a Mobile Security Card andMSC_SmartcardServiceinstalled.
Note: WithoutMSC_SmartcardService, please check out the OtpAuthenticator source code and recompile the APK according to BuildingTheSystem - Log into your Gmail OTP account, click "Change sign-in verification", make sure "Two-step verification" is enabled, click "Configure your mobile application" and "secret key". A QR code will be displayed.
- Run the application on the Android phone, open the menu and click "Scan code". Use your phone's camera to scan the QR code displayed on the website. This will initialise the applet with the secret key that it needs to generate the passwords.
- To test the generated passwords: Log out of your Gmail OTP account and log in again. You should be asked for an OTP in the second step of the two-step verification. Start the Google MSC Authenticator application and enter the code that is being displayed. It is valid for about one minute at most.
Note: Gmail currently uses time-based OTPs. This means your mobile phone's time settings must be accurate. A time difference of only one minute is usually enough for the two-step authentication to fail. The best way to ensure your time is set accurately is to use network-provided time, which can be enabled in your phone's "Date & time settings".
Please refer to the Mobile Security Developer's Kit for an introduction how to develop Android applications with smart card access.
See source code for more details.