This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP JOTP Project"

From OWASP
Jump to: navigation, search
(Quick Download)
(OWASP jOTP)
Line 8: Line 8:
 
==OWASP jOTP==
 
==OWASP jOTP==
  
OWASP jOTP is a lightweight web application, implemented in Java as a small set of RESTful services, that can be used to generate, validate, and automatically expire one-time use password tokens.  This tool could be useful in scenarios that require multi-factor authentication, but do not allow for more expensive / complex solutions that require physical tokens (magnetic id cards, RSA hard tokens, etc).  Tokens generated may be sent either via email or SMS text message to end users.
+
OWASP jOTP is a microservice implemented in Java that can be used to generate, validate, and automatically expire one-time use password tokens.  This tool can be used in scenarios that require multi-factor authentication, but do not allow for more expensive / complex solutions that require physical tokens (magnetic id cards, RSA hard tokens, etc).  Tokens generated may be sent either via email or SMS text message to end users.
  
 
==Description==
 
==Description==

Revision as of 01:56, 3 March 2016

OWASP Project Header.jpg

OWASP jOTP

OWASP jOTP is a microservice implemented in Java that can be used to generate, validate, and automatically expire one-time use password tokens. This tool can be used in scenarios that require multi-factor authentication, but do not allow for more expensive / complex solutions that require physical tokens (magnetic id cards, RSA hard tokens, etc). Tokens generated may be sent either via email or SMS text message to end users.

Description

A common use case for jOTP is as follows: 1. Client web application displays login page to user. 2. User enters username, password, and cell phone number. 3. Client application makes a call to jOTP, which subsequently generates a token and sends it to the user's cell phone. 4. The user receives the token, and enters it on the login page. 5. The client application contacts jOTP to validate the token. If the token was valid, along with the username/password (validated separately), the user is logged in.

Licensing

OWASP jOTP is available under the BSD 2-Clause License.


What is jOTP?

OWASP jOTP provides:

  • OTP token generation, validation, and expiration.

Project Leader

Rob Upcraft


Quick Download

Email List

OWASP jOTP Mailing List NOTE: Include "jOTP" in the subject heading of all emails to this list.

News and Events

Classifications

New projects.png Owasp-builders-small.png
Owasp-defenders-small.png
Cc-button-y-sa-small.png
Project Type Files CODE.jpg
Where can OWASP jOTP be downloaded?
The source code, along with basic documentation, is located here: GitHub Repository
I can see the /sys/monitor endpoint, but when I try to test the other endpoints (eg. /otp/validate), I don't get anything in the response.
The endpoints under /otp only respond to POST requests, and will return an empty response if they are requested via GET.

Volunteers

OWASP jOTP is developed by a worldwide team of volunteers. The primary contributors to date have been:

  • Rob Upcraft


As of April 2014, the priorities are:

Development work for jOTP is largely complete as of now. Because it is intended to be lightweight and focused on this use case, the feature set is not planned to grow significantly, if at all. Most future work will include bug fixes, and additional customization options developed on an as-needed basis.

Involvement in the development and promotion of OWASP jOTP is actively encouraged! You do not have to be a security expert in order to contribute.

Some of the ways you can help:

  • Submit issues to the GitHub repository.
  • Submit pull requests for fixes to the GitHub repository.