I made this app.
A small, OTP authentication app. The OTP authentication app makes use of the new feature in Marshmallow to allow a app to check if a specific keypair is generated inside Secure Hardware, to make it impossible to copy or extract the private key materail. This makes the app a extremely secure authentication app.
Note that if your device for some reason fails to create the key inside Secure Hardware, the app will refuse to use the key. On some phones, the secure storage may need to be initalized by setting a secure lockscreen, then enroll using the app, and then clear the secure lockscreen.
Enroll code to enroll and put public key into clipboard:
Your website simply encrypt a one-time password, using the enrolled public key for a specific user, encode this encrypted RSA2048 message as URLSafe Base64, then creates a qrsa:// URL with this information embedded. The end user (having this app installed) simply scans the QR code or clicks a link on web site and gets the OTP on screen or in clipboard, depending on if website was accessed on mobile browser via the link or via QR code.
Note that the app CANNOT be launched manually and thus have no "Open" button inside play store, it will automatically trigger by visiting any url with the scheme qrsa://
GitHub page: http://ift.tt/28ZHTmE
(Does contain example code for the webservice aswell)
Google Play page:
http://ift.tt/28ZHSiD
What do you think? Any toughts?
Anything I can do better?
A small, OTP authentication app. The OTP authentication app makes use of the new feature in Marshmallow to allow a app to check if a specific keypair is generated inside Secure Hardware, to make it impossible to copy or extract the private key materail. This makes the app a extremely secure authentication app.
Note that if your device for some reason fails to create the key inside Secure Hardware, the app will refuse to use the key. On some phones, the secure storage may need to be initalized by setting a secure lockscreen, then enroll using the app, and then clear the secure lockscreen.
Enroll code to enroll and put public key into clipboard:
Your website simply encrypt a one-time password, using the enrolled public key for a specific user, encode this encrypted RSA2048 message as URLSafe Base64, then creates a qrsa:// URL with this information embedded. The end user (having this app installed) simply scans the QR code or clicks a link on web site and gets the OTP on screen or in clipboard, depending on if website was accessed on mobile browser via the link or via QR code.
Note that the app CANNOT be launched manually and thus have no "Open" button inside play store, it will automatically trigger by visiting any url with the scheme qrsa://
GitHub page: http://ift.tt/28ZHTmE
(Does contain example code for the webservice aswell)
Google Play page:
http://ift.tt/28ZHSiD
What do you think? Any toughts?
Anything I can do better?
from xda-developers http://ift.tt/296T6pl
via IFTTT
No comments:
Post a Comment