-1

I need to write a generator that will generate an 8-digit number used for a two-factor authentication implementation. Currently I am debating between:

  • generating 8 random digits between 0 and 9 and creating a string containing those digits
  • generating a random number between 10000000 and 99999999

The only visible difference between the two approaches is that first would allow the first digit to be 0, but I'm not sure if the wider range of the second approach would be more secure.

Both approaches will involve using SecureRandom, unless there is a better approach. I'm using Java 6.

How do most two-factor authentication services generate their codes? Which approach is more secure and/or is considered a better practice, or does it not matter?

twkk92
  • 11
  • 3
  • 2
    It's super easy, maybe google can help ? – Marko Mackic Apr 01 '16 at 19:11
  • The random function allows you to set a range that you'd like to generate a number in. Combine this with a loop that assigns each number to a position in an array/vector and you have a working program. – Keno Apr 01 '16 at 19:15
  • It is always better to expand the search space when dealing with codes. Without using 0-9 in each place, you're significantly reducing the search space. – KevinO Apr 01 '16 at 19:15
  • Since you are using `SecureRandom` both approaches will give you equal randomness.. also in the second approach you can create numbers from 0 to 99999999 and then pad it with zeros.. cant find a reason why you should ignore this range.. – Jos Apr 01 '16 at 19:16

1 Answers1

0

Creating random numbers won't help. Most (if not all) open source implementations (including Google and Microsoft OTP) use a time based OTP which is defined in RFC 6238. This is an an HMAC function applied to a timestamp (usually divided in intervals of 30 seconds)

The wikipedia page has a lot of good information about how this works and the algorithms: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm . You'll also find a good number of open source libraries that will calculate this for you.

I forgot to add

The whole system will be as secure as the place where you store any master key and the individual seed keys distributed to the customers. If the keys are easily accessible, the system won't be any more secure.

Community
  • 1
  • 1
Augusto
  • 28,839
  • 5
  • 58
  • 88
  • I cannot see any reference to 'server' in the question. Just a reference to 'service'. Also, a two factor authentication solution doesn't make sense between servers, you have far stronger solutions, such as PKI, which are simpler to implement. – Augusto Apr 01 '16 at 19:20
  • NP :) - That's the basis of two-factor authentication: 1) something you know (your password) - 2) something you have (a mobile/OTP generator/etc). – Augusto Apr 01 '16 at 19:26