What one-time-password devices are compatible with mod_authn_otp?

Question

mod_authn_otp is an Apache web server module for two-factor authentication using one-time passwords (OTP) generated via the HOTP/OATH algorithm defined in RFC 4226. The developer's has listed only one compatible device (the Authenex's A-Key 3600) on their website. If a device is fully compliant with the standard, and it allows you to recover the token ID, it should work. However, without testing, it's hard to tell whether a device is fully compliant.

Have you ever tried other devices (software or hardware) with mod_authn_otp (or other open source server-side OTP program)? If yes, please share your experience :)

Answer 1

Any device that claims to be "OATH Compliant" should -- and probably does -- work.

The hard part is not compliance, it's getting the vendor to give you the secret key associated with the token. The don't like to do this because they make their money off the servers, not the tokens.

Note this new iPhone app also works if cell phones are an option for you.

Answer 2

If you're looking for more options, consider using mod-auth-radius or mod-ldap. Most two-factor auth solutions support radius and ldap and you will get far more options and flexibility. Plus, you can do things like run your radius auth through Active Directory and then have IAS/NPS proxy the request to the 2FA server. Thus, when a user is disabled in AD, they are disabled for 2FA too.

There are a couple of ways to do mod-radius: http://www.wikidsystems.com/support/wikid-support-center/links/how-to-configure-apache-to-use-radius-for-two-factor-authentication-on-ubuntu/ and http://www.wikidsystems.com/support/wikid-support-center/how-to/two-factor-authentication-for-apache-2.2-or-higher/