diff -r 000000000000 -r 6a0957738c54 src/firefoxos/help.html --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/firefoxos/help.html Mon Apr 22 22:00:43 2013 +0200 @@ -0,0 +1,358 @@ + + + + + + + + OTPWCalc + + + + + + + + +
+ + +
+

OTPWCalc

+
+
+
+

Help

+ F. A. Q. + Quickstart + Manpage + Mailinglist + Security + Standards +
+
+
+ +
+
+

OTPWCalc

+
+
+
+

What is a One Time Password?

+

A One Time Password (OTP) is a password valid only for a single use and, once used, cannot be used again for authentication. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords.

+
+
+

What can I do with this app?

+

This application serves one purpose only. It calculates and prints a OTP.

+
+
+

What can I do with OTPs?

+

Most people use OTPs to log in to their website administration, CMS, or remote console.

+
+
+

Can I log into my Google account?

+

No. Google uses OTPs, but in a slightly nonstandard way. OTPWCalc cannot calculate OTPs useful for Google authentication yet.

+
+
+

Can I log in to Win/OSX/Oracle?

+

Yes, but some work is needed on the Windows/OSX/Oracle computer to configure the authentication subsystem.

+
+
+

Can I log in to Unix/Linux?

+

Yes, by using PAM and it's quite easy.

+
+
+

What else can I do with it?

+
    +
  1. Impress your friends
    2. +
  2. VPN authentication
    3. +
  3. Single sign on
    4. +
  4. Remote access
    5. +
  5. Computer login
    6. +
  6. Disk encryption
    7. +
  7. Internet services
    8. +
  8. Systems integration
    9. +
  9. CMS authentication
    10. +
  10. Password management
    11. +
  11. Email and money transfer
    12. +
  12. Bank transaction validation
    13. +
+
+
+

Can I install OTPWCalc on …?

+
    +
  • FirefoxOS: Yes
    • +
  • Sailfish: No
    • +
  • Android: No
    • +
  • Tizen: Yes
    • +
  • MeeGo: No
    • +
  • Bada: No
    • +
  • iOS: No
    • +
  • Unix: No
    • +
  • Linux: No
    • +
  • Mac OSX: No
    • +
  • BlackBerry QNX: No
    • +
  • Windows Phone: Yes
    • +
  • Windows Store: Yes
    • +
+
+
+

Why isn't OTPWCalc compatible?

+

OTPWCalc might not be compatible with your platform of choice, usually because the necessary hardware isn't available to the author for development.

+
+
+

What happens to my password?

+

Take a look at the entry point in + main.js:

+ + var secr = $('#paswrd').val();
+ var resp = hash(secr, user, iter); + +

In other words, the password you enter is neither stored nor transmitted. In fact, OTPWCalc doesn't store or transmit any data input at all (see James Bond question later.) It's a calculator in the true sense, just like a pocket calculator that adds numbers.

+
+
+

Is OTPWCalc safe and secure?

+

The algorithms of OTP have proven worthy of high security applications. OTPWCalc has been carefully designed and is tested thoroughly. It's both secure and safe to use.

+
+
+

Is it useful in a corporate setting?

+

Yes. Custom built enterprise versions are available accompanied with commercial support. Visit the OTPWCalc homepage for information.

+
+
+

Does James Bond use OTPWCalc?

+

Maybe, but spies probably just look over shoulders or use cameras to steal the static passwords used in OTP systems.

+
+
+

Same as Yubikey or RSA SecurID?

+

Yubikey, RSA SecurID, and OTPWCalc use similar technologies for similar applications, but OTPWCalc is strictly software and doesn't depend on the time or date.

+
+
+

How can I upgrade my OTPWCalc?

+

This varies according to the operating system used so there's no single answer.

+
+
+

Who owns OTPWCalc?

+

OTPWCalc is the property of the copyright holder, Michael Schloh von Bennewitz.

+
+
+

Is OTPWCalc licensed?

+

OTPWCalc is distributed under the terms of the European Union Public Licence. This liberal license grants you freedom to use the software and much more.

+
+
+

Which programming language?

+

OTPWCalc is built using the HTML, CSS, and JavaScript languages.

+

The jQuery Mobile and Apache Cordova development frameworks provide important additional features.

+
+
+

What are ongoing developments?

+

OTPWCalc is both active and stable, and follows a project management plan.

+
    +
  • It is undergoing nationalization to several european languages.
    • +
  • HMAC-based RFC 4226 (HOTP) is being implemented.
    • +
  • Features like QR and OpenID integration are being explored.
    • +
  • Most of all, OTPWCalc is being ported to new platforms.
    • +
+

To request features or pose questions please write to the mailing list.

+
+
+

How can I report a bogue (bug)?

+

Please write to the mailing list stating the OTPWCalc version and platform. Thanks for every bug report!

+
+
+

My question isn't answered,
or this is just not working!

+

Please turn to the mailing list and ask for help there. Answers appear in a day.

+
+
+
+ +
+
+

OTPWCalc

+
+
+

+ To start using OTPWCalc now… +

+
    +
  1. Install and configure a OTP authentication server on the host computer.
    2. +
  2. Add a username, seed ID, and password to the OTP authentication server.
    3. +
  3. Log in to the host computer providing the recently added username. The host computer will reply with a challange including the appropriate seed ID and a new counter number.
    4. +
  4. Type the seed ID and counter number along with the corresponding password into OTPWCalc. Click Submit.
    5. +
  5. Read the resulting OTP in
    red uppercase characters
    .
    6. +
  6. Type the OTP into the host computer console and…
    Enjoy secure access!
    7. +
+
+
+ +
+
+

OTPWCalc

+
+
+
User Commands
+
OTPWCalc(1)
+
+
Name
+
OTPWCalc - Client application for calculating responses to OTP challenges.
+
Synopsis
+
OTPWCalc [-h] [-v] [-V]
+
Description
+
Playing the role of a hardware + token in a client server authentication system as described + in RFC 2289, OTPWCalc calculates responses to incoming + authentication challenges as typed in by the user.
+
Options
+
+ -h Display a brief help message and exit.
+ -v Print verbose text to the calling terminal.
+ -V Print the version number and exit. +
+
Terms
+
Username
+
+ The name that the server knows. For example, 'albertc'. +
+
Secret
+
+ A password, usually selected by the user, that is + needed to gain access to the server. For example, + 'Mysec2-pw'. +
+
Challenge
+
+ Information printed by the server when it tries to + authenticate a user. This information is needed by + OTPWCalc to generate a proper response. For example, + 'otp-md5 820 dinw23612'. +
+
Response
+
+ Information generated from a challenge that is used + by the server to authenticate the user. For example, + 'BIEM ROSE JINX HARD BALL SKY NEW'. +
+
Seed
+
+ Information used in conjunction with the secret and + sequence number to compute the response. It allows + the same secret to be used for multiple sequences + by changing the seed, or for authentication to + multiple servers by using different seeds. +
+
Sequence #
+
+ A counter used to track key iterations. Each time + a successful response is received by the server the + sequence number is decremented. For example, 71. +
+
Hash ID
+
+ Text that identifies the cryptographical algorithm + used. The valid hash identifiers are 'otpmd4' + corresponding to MD4, and 'otp-md5' corresponding + to MD5. +
+
Files
+
+ The application may store a cookie in a file used to + restore the most recent settings. The location of this + file (or arbitrary data structure) varies according to + the operating system. +
+
Bugs
+
This manual.
+
Security
+
+ All of the authentication strategies covered in the + standards implemented by this application are vulnerable + to man in the middle (MITM) attacks. The strategies can + be combined with public key logic to defeat such attacks. +
+
Standards
+
+ The IETF standards RFC 1760 (The S/KEY One-Time Password + System) and RFC 2289 (A One-Time Password System) are + implemented. +
+
See also
+
+ None. This is a self contained, stand alone application with + no alias commands. It is unique in that it leverages open + technologies like Javascript to run unmodified on a variety + of operating systems. +
+
Author
+
+ This application was written by + Michael Schloh von Bennewitz. +
+
Contact
+
+ Please refer to the + OTPWCalc homepage for contact information. +
+
Support
+
+ The + OTPWCalc mailing list provides information and answers to + questions. Commercial support is provided by the + author. +
+
+
+ +
+
+

OTPWCalc

+
+
+
+

Security

+

General security concerns should be directed to the mailing list, while those of a private nature should be sent directly to the author. X.509 certificates (for exchanging S/MIME encrypted email) and GnuPG keys (to verify released software signatures) reside on the author's website.

+

Please monitor the mailing list and keep your installation of OTPWCalc up to date!

+
+
+
+ +
+
+

OTPWCalc

+
+
+
+

Standards

+

This application implements
the following standards:

+ +
+
+
+ +