Useful Links

Extra Credit: Two-Factor Authentication

Assigned: Thu, Apr 18, 2013
Status Report: N/A
Due: Thu, May 9, 2013 (As part of Project 4)


This extra credit asks you to add measures to prevent user account hijacking. You must implement Open Authentication (OATH) and one-time passwords as defined in RFC 4226 and RFC 6238. The simplest way to do this is using Google Authenticator, which has a ready-made PHP module.


Allow existing users to add OATH

  • Implement a method for users to generate OATH key.
  • Display a QR code containing the key to allow Google Authenticator for Android or iOS to easily import hte OATH key.
  • Include a good description of your site in the QR code.
  • After the user has confirmed acceptance, store the required key data in the database.

Require two-step authentication

  • When a user with OATH enabled logs in, require that a one-time password also be entered.
  • Validate the one-time password.
  • If the one-time password is invalid, the user must not be logged in.

Password reminders and resets

  • When a user requests a password reminder or reset, OATH must remain active.

Require new admin and moderator accounts to use OATH (optional)

  • Require OATH to be active before a user can be elevated to admin or moderator.


  • Include your OATH implementation in your Project 4 demo.
  • Successful implementation of OATH earns 3 points.
  • Requiring admin and moderator accounts to use OATH earns an additional 1 point.


  • Finish all other Project 4 requirements first. If your user role implementation is incomplete or buggy, correct OATH implementation will be difficult to prove correct.

History Print Recent Changes Search

Page last modified on April 17, 2013, at 10:45 AM