OTP door lock

luca Saturday September 14th, 2013 4

Today I’m going to show you how to make an Arduino door lock that can be opened with an OTP code generated by your smartphone.

Video

First, a short video about the project (english subtitles are available):

OTP

OTP (one-time password) is an access code you can use only one time: its main advantage is that – even if someone steals your code when you use it – it doesn’t work anymore.

Usually OTP codes also have a temporal validity, i.e. they can be used for a short period (tipically 30 seconds); those codes are called TOTP (time-based one-time password). OTP codes are widely used for secure access to home-banking websites, remote connections (VPN)…

In the past, the TOTP codes were usually generated by hardware tokens

but recently software tokens, that are smartphones applications, are becoming common:

OATH and Google Authenticator

Open Authentication (OATH) is an industry-wide collaboration to define open standards for strong authentication mechanisms. One of those standards (RFC 6238) defines an algorithm to generate TOTP codes.

The algorithm starts with a secret key (shared secret) and the actual timestamp (the number of seconds from the date 01/01/1970). With the use of an hash function (HMAC-SHA-1) on the key-timestamp pair and a truncate function on the result, you get a code of 6 numbers:

The algorithm requires therefore that the token (which generates the codes) and the server (which validates them)

  • share the same secret key
  • are in sync

Google Authenticator is an opensource application you can use to obtain TOTP codes that are compliant to the algorithm described by the RFC.

It’s available for Android, iOS and Blackberry smartphones:

Google Authenticator genrates OTP codes with a validity of 30 seconds and requires a private key of 10 characters.

In the next page, I’m going to show you how to generate and validate TOTP codes with Arduino…

Pages: 1 2

4 Comments »

  1. Ivan Thursday September 19th, 2013 at 12:25 PM - Reply

    # 1!!!!

  2. Burke Friday November 1st, 2013 at 09:08 PM - Reply

    Great article.

  3. customdev Wednesday March 5th, 2014 at 11:13 PM - Reply

    I have the sketch up and running. Everything compiles and uploads beautifully.

    However I am having synchronization problems. Which time zone are we to use? I cannot tell rather my phone simply uses the GMT as its system clock or rather it is GMT adjusted with an offset for my time zone.

    I have tried using both GMT and GMT adjusted for my time zone with less than 5 seconds of difference between the Arduino’s time and the phone’s time. Either way the codes generated never match up.

    • luca Saturday March 15th, 2014 at 10:46 AM - Reply

      Hi! Google Authenticator uses GMT even if your phone displays time in your timezone, so you have to configure arduino with the same timezone.

Leave A Response »