Open Source two factor authentication suite

Project aims

  • to enable the wider adoption of two-factor authentication
  • to undermine the efforts of keystroke loggers and other trojans
  • to reduce spam, by significantly increasing the effort required to make effective phishing attacks

Features

  • Secure UNIX server and API combined with Android soft-token
  • two-factor authentication using open standards (HOTP, TOTP and soon OCRA) for one-time-passwords
  • C library for inclusion in existing software and web sites
  • OpenID (using SimpleID) for web applications/single-sign-on (SSO)
  • PAM for easy UNIX and LDAP integration (SASL, RADIUS and JAAS in development)
  • enterprise class scalability and security
  • flexible, modular user data storage to suit a range of private and public use cases
  • free (GPL) and open source so that you can see the code is really secure
  • open standards (HOTP and TOTP) so you are not locked in to a single token vendor
  • combined PIN + token code login
  • Works with Google Authenticator or the dynalogin open-source soft-token on Android

Key benefits of the Android soft-token

  • Based on a cryptographic algorithm so token codes can't be guessed - they appear random
  • A single install of the soft-token app can have multiple key profiles (e.g. one profile for your e-banking, another for the company VPN and another for your OpenID/blog/facebook), so there is no need to carry 5 different tokens on a keyring
  • Does not require any network connectivity when computing a token code
  • Can be used when roaming, even if you disable data connectivity while abroad
  • Does not require any SIM card, so it can be used on tablets and music players running Android
  • Works in places where there is no mobile or wifi signal (e.g. using Vodafone in many parts of Australia)
  • Many of these features make dynalogin much more appropriate than the mobile SMS login solutions now offered by some banks