Security

How to implement mobile verification to ensure the best security?

Jan 19, 2017
How_does_implementing_mobile_verification_work-1.jpg
3 min read

As more and more transactions are being carried out online, growing swathes of personal information - including sensitive financial data - are being sent over networks of varying security, exposing internet users to potential threats from the so-called ‘crackers’.

 

Indeed, it’s becoming so hard to keep information safe, either in storage or in transit, that breaches are now commonplace, with some of the most seemingly safe databases around the world being compromised. As we move into cloud and open source environments, it’s even more important that people take responsibility for securing both individual and enterprise data - even if it means taking additional steps to do so.   

 

signing_in_to_google.jpg

 

 

One option for those who wish to stay ahead in the security game is mobile verification - or Second Factor Authentication (2FA) to give it its proper title - which offers an extra layer of security in internet transactions and is bound to become more prevalent with the rise of IoT and mobile technologies.

 

2FA can come in two forms, the first being HOTP, in which it is employed to approve logins attempted on new devices, as well as all transactions, the second being Time Based One Time Password, or TOTP.  

 

In either case, the 'second factor' is generally a mobile device, to which a code will be sent when a login is attempted. This must then be entered into the appropriate field, meaning the user must have the phone on his or her person as well as be able to provide the correct user ID and password.


Implementation on the web interface is completed by mobile app developers in two stages, the first being the normal login process, after which the user is redirected to an OTP page. At the same time, the OTP is sent to the mobile number or email address registered to the account, bringing the 2FA mechanism into play. After accepting the form with the user-provided PIN, the script then checks if this matches with the algorithm.

 

mobile-verification2.jpg

 

 

As an example, consider the following code (here we’re using the Python package ‘pyotp’ but it’s possible to design your own algorithm and implementation):

 

Step 1: Get pyopt via pip

pip install pyotp

Step 2: Generation and verification using HOTP - HMAC-SHA Based Authentication:

import pyotp
def generateHOTP(userid): 
    hotp = pyotp.HOTP('base32secret3232') 
    return hotp.at(userid) 

def verifyOTP(otp, userid=None): 
    if userid: 
        hotp = pyotp.HOTP('base32secret3232') 
        if hotp.verify(otp, userid): 
            return True 
        else: 
            totp = pyotp.TOTP('base32secret3232') 
            
        if totp.verify(otp): 
            return True 
        
        return False
        

Usage:

otp = generateHOTP(userid)

If you want to send the generated OTP via email or SMS you need to call your function.

Write his own email/ sms alert implementation.

send_email(email, otp)
send_sms(mobile_number, otp)
def send_email(email, otp):
    #write email functionality
def send_sms(mobile_number, otp):
    #write sms functionality

You can create a text input HTML to get the value from the field and verify the entered OTP.

if verifyOTP(otp,userid):
    # DO your stuff show dashboard
else:
    print 'OTP Error'
    # return to OTP Page or Login page
    
def generateTOTP(userid, interval): 
    totp = pyotp.TOTP('base32secret3232', interval=300) #interval in seconds
    return top.now()

 

text-verification1.jpgHere ‘interval’ is the OTP timeout; after this time the OTP will expire automatically.

 

No doubt Second Factor Authentication will prove a nuisance now and then; in today's fast-paced world, every second counts. It is, however, worth noting that we already use other forms of authentication, including barcodes, QR codes, and biometric identification, and with a growing number of ecommerce firms like Amazon and Uber using mobile numbers to enable transactions, mobile verification has become a preferred authentication method.

 

At hedgehog lab, we would also urge you to look at the whole picture - with increasingly advanced technology generating more and more security risk, surely it's worth taking a moment to keep your data protected.

 


 Did you know that blockchain in simple terms is a electronic ledger?

Bitcoins & Blockchain.jpg

 

 Learn more about Bitcoin and Blockchain

 

Share this article
Ashish Anand

Author Ashish Anand

Ashish is a Backend Developer with 7 years of experience. He is passionate about learning new technologies, always trying to do a lot of new things and occasionally driving himself to do some crazy stuff.

View more posts by this author

FREE WHITEPAPER

Challenges and opportunities in ARToolKit development.

The explosive rise of augmented reality presents a number of opportunities and challenges for developers. Learn more about the technicalities of AR and AR applications, as well as:

•  AR development software such as ARKit, ARCore, Daqri-ARToolkit and more.
•  The industries AR applications will transform.
•  Considerations in building an AR Toolkit.
•  The future of AR development.
Get your free whitepaper here