The OTP Manager
The OTP Manager is a simple Application for managing One Time Password (OTP) Tokens. OTP Tokens are 30 second time limited 6 digit numbers generated from a base63 encoded shared secret. The OTP secret keys are securely stored in the default KeyChain on your Mac. You can find them by searching for "OTPManager:" in the keychain.
The interface displays a general ProgressIndicator above the Tokens, that indicates how long the tokens are valid. When a token enters the last 4 seconds of its lifetime, a token enters 'expiry mode': the token digits turn red and copy functionality is disabled.
In this document we'll call a 'banner' with the username, issuer and OTP Token an account. The selected account has a darker background than other accounts in the main window.
Screenshot of the main window with tokens in active state. The first account is selected.
How to add an account
In order to add an Account to the OTP Manager, you need the pre-generated secret from the site or application you wish to add the account for. The OTP Manager does not enable Two Factor Authentication, this must be enabled with the Issuer.
To add an account to the manager, do any of the following:
- ⌘ + N
- The Main Menu > File > New Account
- Press the + button
It will open a dialogue prompting for 3 inputs:
- Issuer - The site or app you are creating the OTP Token for
- Username - The username for your account with the Issuer
- OTP Secret - The base63 secret generated within the Issuers application
Using the Statusbar
Version 1.2 adds the statusbar menu as a convient way to access your tokens. The menu reflects the sequence you drag the tokens in in the main screen. The Statusbar enables you to hide the main application, thus reducing clutter on your desktop while maintaining easy access to your tokens, and adds a shortcut to unhide the OTP Manager application.
Selecting an account from the statusbar menu copies the token to the system clipboard, as described in copying tokens.
A token can only be copied when the token is not expiring (i.e., in the first 26 seconds of its cycle). If a token is in expired state, the digits turn red. In active state, a token can be copied to the system clipboard in any one of the following ways:
- The token of the selected account can be copied with ⌘ + C
- Double click the Token digits
- Right click an account and choose "copy token"
- selecting the token from the menu in the statusbar
How to delete an account
Removing an account does NOT disable Two Factor Authentication (TFA).
Removing an account could prevent you from logging in to the associated application.
If you want to disable TFA, please log in to the site (for which you will require a valid token) and disable TFA before removing the account from the OTP Manager
In order to remove an account from the OTP Manager you need to select the account you wish to remove by clicking on it in the interface. The delete can be done in either of three ways:
- ⌘ + Backspace (deletes the current selected account)
- Press the - button (deletes the current selected account)
- Right click on an account and choosing "delete account"
Configurable settings (v1.3)
Due to user comments, we have implemented a basic settings screen with 2 configurable options. Options are accessable via the Preferences menu item (⌘ + , or OTP Manager > Preferences).
- Don't copy tokens in grace period (default on).
Some users didn't like that tokens could not be copied in the last 4 seconds of a token lifetime. The statusbar pulldown would show grayed out, unselectable tokens in that period. If you uncheck this option, there will be no copy ban on a token and tokens can be copied upto the refresh time. Be aware that this could fail logins as timedrift on both sides could have expired the tokens already.
- Statusbar menu only (default off).
A much requested feature was to be able to run the OTP Manager in the background. To this purpose we have added the Statusbar menu only option. Enabling this option will discard the main OTP application window and will only show the statusbar menu item. You can always toggle the main application window by selecting the "Show OTP Manager" Statusbar menu item.
OTP Manager is compatible with all HMAC TOTP based Two Factor Authentication implementations, like Googles Gmail, Facebook, Dropbox, Evernote and many more.
Background of One Time Password
There are 3 independent authentication factors: What you know (password), what you possess (hardware token, mobile phone) and who you are (fingerprint). Multi Factor Authentication means the system is using two of these factors for authentication.
The industry standard for Two Factor Authentication is using a time limited component generated from the possession factor next to the knowledge factor for authentication: a Time based One Time Password (TOTP).
Our implementation of the One Time Password is based on the open standards developed by the Initiative for Open Authentication (OATH). From these standards we use the HMAC based Time-based-One-Time-Password (TOTP) as specified in RFC 6238.