# OneTimePassword auth example ## Terminology auth=Authentication, tmp=Temporary ## Common Procedure 1. Clone this 2. cd $TOP/otp ## WebSocket mode 1. ./otp.rb 2. Open http://localhost:3000/otp.html ## CGI mode 1. ./web.rb 2. ./otp-cgi.rb 3. Open http://localhost:3000/otp-cgi.html ## OTP Procedure for WebSocket Client | Data Flow | Server | Person ----------------|---------------|-----------|------ (First Access) | Nothing | | Username(email) | --> | (store) | (storage) | <-- | tmpKey | .. | | passcode | --> get via email Passcode+tmpKey | --> | Verify | (storage) | <-- | SessionKey| Sessionkey | --> | Set AuthFlag for connection channel| All keys and passcodes are stored in databases(server side) or localStorage(browsers). ## OTP Procedure for CGI Client | Data Flow | Server | Person ----------------|---------------|-----------|------ Username(email) | --> | (store) | (storage) | <-- | tmpKey | .. | | passcode | --> get via email .. | | exits | .. | | ------- | Passcode+tmpKey | --> | Verify | (storage) | <-- | SessionKey| .. | | exits | .. | | ------- | User+Sessionkey | --> | Auth OK | (expand to view)| <-- | Any answers| .. | | exits | .. | | ------- | ## Difference between CGI and WebSocket Servers ### CGI server One response for one request ![](persession.png) ### WebSocket server Persist connection per session. One server for multi clients. ![](wsserver.png)