QR Based provisioning for MOTP Based systems

In the classic implementation of MOTP two-factor authentication the secret hashes used to produce one-time passwords are generated on the mobile application during the first initialization.
This is rather inconvenient as the hash needs to be entered manually on the server. Token2 has agreed with the creators of MOTP to introduce a new procedure of initialization of OTP clients: similar to TOTP based systems, the hash can now be generated on the server side and be presented to the clients in the format of a QR code.
Token2 Mobile OTP is the first (and currently the only) mobile application supporting this method

Specifications

Matthias Straub, creator of MOTP has agreed with our proposal to use URI format below:
 motp://[SITENAME]:[USERNAME]?secret=[SECRET-KEY] 
As per MOTP Specifications, the secret key should be a 16-hex-digit hash, so it is rather simple to generate such keys using any programming languages. See a few examples below:

PHP >= 5.3
bin2hex(openssl_random_pseudo_bytes(8));

Perl
my $rand_hex = join "", map { unpack "H*", chr(rand(256)) } 1..8;

Javascript
 function genHEX(){
    // Make a new array with all available HEX options.
    var hexchars = new Array("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
    // Make variable to hold 6 character HEX array
    digit = new Array(17);
    secret="";
    for (i=0;i<16;i++){
        // Loop through 6 times, randomising the letter added to the array
        digit[i]=hexchars[Math.round(Math.random()*14)];
        secret = secret+digit[i];
    }
    return secret;
}

Python
#!/usr/local/bin/python2.7
import random
alpha = ("0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F")
print ''.join([random.choice(alpha) for _ in range(16)])
QR Image generation
You can use a QR generation library for your platform or for Javascript to keep it at client side (you can search for "QR Generation" on Github, for example). Or, you can use Google Chart API to generate the QR Image using the URI submitted as a GET parameter.
See example below:
https://chart.googleapis.com/chart?chs=250x250&cht=qr&chl=motp://MotpTest:Alice-always-the-Same?secret=48826cafc8795520 


 If you scan the QR image above when creating a new profile with Token2 Mobile OTP, you will get a MOTP Profile created automatically
For backward compatibility, Token2 Mobile OTP supports client-side hash generation : by touching the little icon next to hash field will generate and show the secret key immediately, so the application can be used as a standard MOTP client.

Token2 Mobile OTP : your universal two factor authenticator

This application generates OTP using Token2's proprietary algorithm, but is not limited to it only, additionally, it supports TOTP and MOTP as well, so you can use the same application for other sites requiring two-factor authentication; e.g. wherever you see a requirement to use Google authenticator, feel free to use our app as it is even more secure due to additional layer of protection with a PIN code .

Token2 Mobile OTP | One Time Password generator for two factor authentication

  • Supports proprietary Token2 algorithm
  • Supports TOTP as per RFC 6238
  • Supports additional PIN code protection for standard TOTP profiles
  • Supports Classic MOTP (with client side secret generation)
  • Supports MOTP with QR based enrolment