An educational implementation of a token generating one-time passwords (OTP) to be used for challenge-response authentication.
The app can be set to behave as a compromised token, in order to show the risk of sensitive information leaking to the remote server without the user being aware. In compromised mode, the generated responses contain a variable portion of the user's PIN code. So after a few authentication cycles, the server can reconstitute the whole PIN code! Such a covert channel would endanger both security and privacy.
This client-side token is to be used with one of our complementary authentication servers that mimic the Internet banking service of three different Swiss banks. All the instructions needed and the links to the servers are on our website!
This app has been developed at the Virtual Identity, Privacy and Security (VIP) research center, which belongs to the Department of Engineering and Information Technology of the University of Applied Sciences of Bern (BFH-TI) in Biel/Bienne, Switzerland.