Barada Two Factor Authentication

I ran across this interesting project called Barada the other day.

Barada turns your phone into a two factor authentication device. It's an implementation of the HOTP protocol in the form of a PAM module (the server) and an Android applicaton (the client).

Their approach solves several inconveniences, which they highlight:

...the problem with systems like SecureID or CryptoCard is that they're often not convenient. They cost money to license, the hardware costs money, and they're difficult to maintain. You have to setup a dedicated Solaris machine with RADIUS support just to deploy SecureID, which isn't really great for someone with a small setup.

How it works...

Basically, in addition to a normal password, users are also assigned a PIN number and a 128 bit key. Every time you'd like to login using two-factor authentication, you open up the Android application, type in your PIN number, and get back a six character one time password that you can then use to authenticate remotely. The PIN number is not stored on the phone, and the the OTP can only be used exactly once. Thus, the loss of the phone does not result in leaked passwords, and the capture of an OTP does not result in remote access.

People are used to carrying their phones at all times, it seems much less likely that someone would forget their phone over their RSA token or smart card. It also removes the inconvenience of having to keep a token with you at all times.