Comment Multiple options (Score 2) 113
TOTP (time-based one time keys), HOTP (hmac? one time keys), and RFC6238 are todays friendly search terms.
TOTP is what the traditional RSA tokens use, in which the time is a component of the encryption used so the code generated from the private key changes (usually every 30 or 60 seconds)
HOTP is the latest in one time pads, where each code generated is good until used but only once.
It differs from true OTPs in that the data is procedurally generated from a private key instead of all the keys/data being generated in bulk ahead of time. One hopes the private key is smaller than a crap-ton of bulk keys or binary data needed for a true OTP.
Google Authenticator is one pre-made generic solution, and you don't need to use Google to utilize it.
The encryption it uses is open and has an RFC, and their own software lets you input the private key via QR code for the user if you wish, and utilize multiple profiles/keys.
Google released an open source PAM module for all your Linux authentication needs, including SSH.
I use this myself for access to my home network (ssh + port forwards)
There are also tons of programs that run the identical encryption methods, lots being open source.
I've seen them available for every OS commonly used (and then some) plus every smartphone out there.
I've also recently purchased a Yubico key, which is a hardware version of the RSA token.
The basic model runs $25 each if you buy single keys, and they can be loaded with up to two profiles using various encryption methods and keys.
Instead of an LCD display with a rolling code, they are USB devices that show up as USB keyboard HIDs. You plug it in and once the OS has it powered and ready, there is a touch-sensitive "button" you touch and the dongle types in the code valid for that 30 second period.
It also takes into account how long it needs to type the codes (sha256 with serial can be 158 characters and takes ~3-4 seconds to type in at the default key rate)
It will always type the key that will be valid at the time its about to hit enter.
Yubico is RFC6238 compatible, and also can utilize OpenRADIUS which then makes it compatible with pretty much everything.
A third option, though more for Windows login / Active Directory, and definitely not open source, is EIDVirtual.
It basically lets you reformat a USB flash drive to contain a 4k private key and special header so along with its smartcard driver extension, the keys show up as smart cards and USB flash (technically you can still store data on the drive if you want)
The software is very cheap (7 euro if I recall), works flawlessly in AD setups (tested on XP, 7, and 8), and uses any old flash drive with 1mb of storage.
The downside of course is you don't get any of the fancy (or even required) hardware protection of the private key. I believe it uses the USB drives serial and model/make as part of its formula so blind copying isn't trivial, but the hardware exists to easily fake that info for anyone intent on doing so.
Not nearly as secure as the other options, but it is at least priced accordingly, and doesn't try to add 2-3 zeros to the pricetag for the "enterprise" label.