Ulf Dittmer wrote:Read up on how the Google Authenticator app works; it sounds like that is similar to what you're asking. (I'm not actually sure if Authenticator needs to be online, but its documentation is sure to talk about that.) Maybe your web app can even leverage Authenticator.
I've used Authenticator for two factor on my iPad when my iPad din't have a network connection. Also Authenticator doesn't work if your iPad time is horribly wrong which shows that number is being determine based on the time as one of the factors. (rather than requesting it from google each time.)
Andrea: The token ("extra password") is the second part of two factor authentication. The mobile app generating makes sense. It is a "thing you have." You could roll your own. Have a unique number generated when the user first sets up the mobile app. Then use that number and other factors like the time to generate a token value that is only valid for a short time. As long as your server knows that app's number and the algorithm, it can check the token is right. Another alternative is to use a set of randomly generated values that the mobile app stores and your server knows about. Google two factor also has that. I have a bunch stored in case my iPad breaks and something happens to my phone at the same time. Horrible luck I know, but I'd certainly want to be able to get into my email if that happened!