How to set up and use our secure One Time Password generator (updated)

August 20th, 2015

Note: this post is the updated version of this one. The recommended Android app to generate one-time passwords is now Yubico Authenticator.

Passwords have been quite unpopular for a while. Every few weeks major news sites publish some variation on the “password is dead” topic. In order to improve login security, many of the leading online service providers have introduced “two factor authentication” procedures in which your password (“something you know”: that’s the first authentication factor) is complemented with a second factor which is “something you have”. If this “something” has a tamper-resistant chip running code securely, anyone wanting to access your information will have a much tougher task ahead. As you might have guessed, one of such “things” is the Fidesmo Card. The way of proving that you actually have it is by making it generate a “one-time password” (OTP) which is also generated by the server based on the same seed. If both OTPs match, you are welcome in.

If you are a public personality or simply security conscious you should consider having your security on another device than the device you are trying to log into as well as a device that is secure and tamper resistant: that’s why using a contactless smart card is such a good idea.

This article explains, step-by-step, how you can use a Fidesmo Card to set up two factor authentication for one of the most popular online services: Google.

What you need

  • A Fidesmo Card
  • An Android phone with NFC capabilities
  • The Fidesmo Android App
  • The Yubico Authenticator Android app.
  • A service accepting OTP for secure access. As an example, I will use Google Accounts, although many others (Facebook, Evernote, Github…) also have introduced OTP as a way to improve security.

Initial preparation

  1. Install the Fidesmo App onto your Android phone.
  2. Open the Fidesmo App. It will present a list of available “Card Apps”, applications that you can install on your card. Scroll down until you find “Fidesmo OTP”.
  3. Press the “Install” button and follow the instructions displayed on the screen.
  4. Install the Yubico Authenticator app onto your Android phone.

Configuring an online service to use a Fidesmo Card-based OTP generator: Gmail

Configure Two-step verification in your Gmail account, if you haven’t done it yet. You will have to initiate the procedure using a mobile phone. Instructions are here:

Once all is done, go to your account settings in and click on “2-step verification”.

This is how it looks like for me:

Click on the “Switch to app” button, and select “Android” as your phone type in the following dialog box. Something like this will pop up:

Instead of installing Google Authenticator (as the instructions on the popup say), open the Yubico Authenticator app on your phone and follow this sequence of steps:

  1. The first time you open Yubico Authenticator, it will ask you to tap a YubiKey NEO – we will use a Fidesmo card instead. But before viewing any credentials we need to load them first!.
  2. Open the overflow menu (the three dots on the top right corner) and select Scan account QR-code: your phone’s camera will activate. Read the QR code in your computer screen with it. Yubico Authenticator will parse it (assigning a name to the credential that you can edit) and ask you to tap the Yubikey NEO or Fidesmo Card, so it can store it.
  3. Time to tap your Fidesmo card! Yubico Authenticator will store the new credential and generate the first one-time password: enter it in the field under the QR code (see the screnshoot above).

    Yubico Authenticator, generating the first one-time password

Using the OTP generator on your Fidesmo Card

Let’s imagine you now want to log into your Google account using a different computer. Google will ask you for two-factor authentication: your password, and the OTP using the Fidesmo Card:

Get hold of your phone and open the Yubico Authenticator app. Tap the Fidesmo Card and the one-time password appears above the credential’s name:

So you just need to type it into the 2-step verification box above, and you are done!

That’s all there is to it. Your Google account is now 2FA (two factor authentication) secured no matter which device that you want to log into, be it computer or mobile device. To complete your security be sure to keep the backup passwords in a secure and remote place. If you want to add this extra layer of security to other parts of your online life you can do so for most of the services that have a “Software Implementation” on this extensive list of services that support 2FA login. If you have any trouble following this guide or questions and tips regarding security online or our services do not hesitate to tweet @ us!