Barada Open source Two Factor Authentication system

Perhaps you occasionally find it necessary to access your email or login to a remote server from a computer that is not your own. The problem, of course, is that it is often unwise to type your password into computers that are not under your control. Terminals at libraries, internet cafes, or maybe even your less-careful friend's houses could be running keystroke loggers.

There are existing solutions for this, of course. The two obvious choices are a One Time Password system (like S/Key or OTPW) or a Two Factor Authentication system (like RSA SecureID or CryptoCard). We don't like the OTP option because it requires that you carry a list of passwords around with you, there can be logistical problems if you get to the end of your list while you're still traveling, and you have to type your constant "prefix" for each OTP into untrusted computers. So we prefer two factor authentication because there is the security of two factors (something you have and something you know) and it solves the keystroke logging problem in a more convenient way (no lists, no out of date information, no typing of anything but a temporary access code into untrusted computers).

Ironically, then, the problem with systems like SecureID or CryptoCard is that they're often not convenient. They cost money to license, the hardware costs money, and they're difficult to maintain. You have to setup a dedicated Solaris machine with RADIUS support just to deploy SecureID, which isn't really great for someone with a small setup.

And that's why we wrote this. Barada turns your phone into a two factor authentication device. It's an implementation of the HOTP protocol in the form of a PAM module (the server) and an Android applicaton (the client).

Basically, in addition to a normal password, users are also assigned a PIN number and a 128 bit key. Every time you'd like to login using two-factor authentication, you open up the Android application, type in your PIN number, and get back a six character one time password that you can then use to authenticate remotely. The PIN number is not stored on the phone, and the the OTP can only be used exactly once. Thus, the loss of the phone does not result in leaked passwords, and the capture of an OTP does not result in remote access.

This module can be installed above the normal authentication module in the PAM stack, so at any moment you can either use your normal password or Barada's two-factor authentication interchangably. Sitting at a trusted computer, you might choose to quickly type in a password, while you might choose to use two-factor authentication when using a non-trusted or public computer.

Download :- Barada