3

I would like to buy a device that can be provisioned with a secret seed and then displays a time based authentication token without ever revealing the seed.

As terms like 2FA, TOTP and Authenticator are almost guaranteed to only show up information about mobile-phone-hosted token generators, i am somewhat struggling to find relevant manufacturers.

I have found some devices using the term "oath-TOTP", but the high frequency of "if you lose your seed, just call us" and "you need adobe flash player to order" makes me think i am not quite using the right search terms to find a trustworthy product.

What is that device class called?

  • 2
    'totp hardware token' seems a good search term. I think the problem is that these have gone out of fashion due to the convenience of phone apps. – Neil Smithline Apr 01 '18 at 03:26

3 Answers3

2

Most vendors preseed the TOTP token and provide a seed file (with the secret key) to be imported into your system. Of course this leaves a bit of a doubt, if the vendor handles the key delivery right.

If you would go for HOTP and not TOTP I would recommend the yubikey, since it is to be initialized in the most easy way. Other devices are built for cost efficiency and programming is sometimes not a feature. (You would need an interface and the hardware vendor would have to provide software, so that you can actually programm the device).

However, there are some Feitian TOTP tokens (C200 and TOTP display cards), that can be programmed. But you need to invest into an programming device or software, that needs to be purchased.

There is the vendor longmai, that also provides TOTP tokens and I think you could programm these using the NFC protocol - but: I think they do not have any ready made software -> a lots of programming on your side.

Bottomline: I think programming TOTP tokens is only worth the effort if you going to use several hundrets of tokens. If you are only looking for a token on your own, take a look at the yubikey.

cornelinux
  • 1,993
  • 8
  • 11
2

There is a number of products that are allowing to write the seed you want using a special (free) app, you only need an Android device with NFC chip on board. The process is as described here.

They can be googled using "programmable totp hardware tokens" term.

Emin
  • 121
  • 2
1

NIST SP 800-63B, which has a taxonomy of authentication methods and devices, refers to them under two categories. The simplest is single-factor one-time password device (5.1.4):

Single-factor OTP authenticators contain two persistent values. The first is a symmetric key that persists for the device’s lifetime. The second is a nonce that is either changed each time the authenticator is used or is based on a real-time clock.

A more elaborate one is a multi-factor one-time password device (5.1.5):

Multi-factor OTP authenticators operate in a similar manner to single-factor OTP authenticators (see Section 5.1.4.1), except that they require the entry of either a memorized secret or the use of a biometric to obtain the OTP from the authenticator. Each use of the authenticator SHALL require the input of the additional factor.

In addition to activation information, multi-factor OTP authenticators contain two persistent values. The first is a symmetric key that persists for the device’s lifetime. The second is a nonce that is either changed each time the authenticator is used or is based on a real-time clock.

These terms are rather bureaucratic; e.g., the document has a section on memorized secret authenticators ("commonly referred to as a password or, if numeric, a PIN," it helpfully explains). But they might still be of use.

Although note that the document doesn't require OTP devices to be dedicated to merit its labels; for example, it admits a software implementation on a smartphone.

Luis Casillas
  • 10,181
  • 2
  • 27
  • 42