How to set up and use our secure One Time Password generator

April 8th, 2015

Note: now we recommend a different Android app to generate one-time passwords. See the updated instructions in this blog post.

Passwords have been quite unpopular for a while. Every few weeks major news sites publish some variation on the “password is dead” topic. In order to improve login security, many of the leading online service providers have introduced “two factor authentication” procedures in which your password (“something you know”: that’s the first authentication factor) is complemented with a second factor which is “something you have”. If this “something” has a tamper-resistant chip running code securely, anyone wanting to access your information will have a much tougher task ahead. As you might have guessed, one of such “things” is the Fidesmo Card. The way of proving that you actually have it is by making it generate a “one-time password” (OTP) which is also generated by the server based on the same seed. If both OTPs match, you are welcome in.

If you are a public personality or simply security conscious you should consider having your security on another device than the device you are trying to log into as well as a device that is secure and tamper resistant: that’s why using a contactless smart card is such a good idea.

This article explains, step-by-step, how you can use a Fidesmo Card to set up two factor authentication for one of the most popular online services: Google.

What you need

  • A Fidesmo Card
  • An Android phone with NFC capabilities
  • The Fidesmo Android App
  • A version of the FreeOTP Android app modified to use a Fidesmo card as the secure storage for the OTP secret seed. You can download it from here. We are getting our code contribution accepted into the FreeOTP official codebase, that’s when it will be available in Google Play.
  • A service accepting OTP for secure access. As an example, I will use Google Accounts, although many others (Facebook, Evernote, Github…) also have introduced OTP as a way to improve security.

Initial preparation

  1. Install the Fidesmo App onto your Android phone.
  2. Open the Fidesmo App. It will present a list of available “Card Apps”, applications that you can install on your card. Scroll down until you find “Fidesmo OTP”.
  3. Press the “Install” button and follow the instructions displayed on the screen.
  4. Install the modified FreeOTP APK on your Android phone. Since it is not in the Google Play application store yet, you will need to load the APK file on your phone and install it manually. You can read some instructions here.

Configuring an online service to use a Fidesmo Card-based OTP generator: Gmail

Configure Two-step verification in your Gmail account, if you haven’t done it yet. You will have to initiate the procedure using a mobile phone. Instructions are here:

Once all is done, go to your account settings in and click on “2-step verification”.

This is how it looks like for me:

Click on the “Switch to app” button, and select “Android” as your phone type in the following dialog box. Something like this will pop up:

Instead of installing Google Authenticator (as the instructions on the popup say), open the FreeOTP app on your phone and follow this sequence of steps:

  1. The first time you open FreeOTP, it will have no tokens stored. Tokens may be stored in the phone or in the Fidesmo Card, which is what we are doing now and it is much more secure.
  2. Tap the Fidesmo Card with the phone. Two things will happen:
    1. FreeOTP will get in NFC mode: the app name in the title bar is now FreeOTP(NFC)
    2. FreeOTP will read the FidesmoOTP applet on the card and check the tokens stored there: none yet, of course
  3. Now that we have set FreeOTP in NFC mode, it is time to scan Google’s QR code. Press the QR icon at the top of the app: your phone’s camera will activate. Read the QR code in your computer screen with it. FreeOTP will parse it and ask you to tap the Fidesmo Card again, so it can store it.
  4. Tap the Fidesmo Card with the phone. Now the token to securely generate One Time Passwords for your Google account is stored in your Fidesmo Card!

Using the OTP generator on your Fidesmo Card

Let’s imagine you now want to log into your Google account using a different computer. Google will ask you for two-factor authentication: your password, and the OTP using the Fidesmo Card:

Get hold of your phone and open the FreeOTP app. Since we stored the token on the card and not on the phone, the same initial screen as before is shown: not tokens on this device. Tap the Fidesmo Card and the list of installed tokens appears:

While tapping the card with your phone (easy if you just hold both with the same hand), press the big blue cube icon on the left. The phone will use the token on your Fidesmo Card to generate the one-time password, and display it to you:

So you just need to type it into the 2-step verification box above, and you are done!

That’s all there is to it. Your Google account is now 2FA (two factor authentication) secured no matter which device that you want to log into, be it computer or mobile device. To complete your security be sure to keep the backup passwords in a secure and remote place. If you want to add this extra layer of security to other parts of your online life you can do so for most of the services that have a “Software Implementation” on this extensive list of services that support 2FA login. If you have any trouble following this guide or questions and tips regarding security online or our services do not hesitate to tweet @ us!