I was tasked with creating a one-time password (OTP) system that will ultimately be used to create OTP generators on mobile devices.
We are looking at using HOTP (rfc 4226) with a counter, but perhaps with some options. We do not have to be compatible with OATH.
This is my first security / cryptography experience, so I try to avoid (and find out) about security threats that hinder security novices, and also to better understand what I need to do and know in order to complete this task.
In addition to these general tips, I have a few specific questions for implementing this project:
Is HOTP still safe even if it uses SHA-1? One of my colleagues suggested we use the HMAC-SHA-512. It looks easy enough to switch the basic algorithm that we use. Are there any side effects here? For example, an increase in processing time?
I have problems synchronizing the counter. What should I use as common sense for possible counter values? What are the best ways to return to sync if the user clicked ahead of our lead? Would it be easier to display and send the counter along with the corresponding OTP, or does it significantly weaken security?
I also do not have a good understanding of best practices for storing related information securely, such as a shared secret and counter values.
, , , , . .