Google Authenticator - scratch codes
Janina Byky
Michael O Holstein
Mathematically .. think salted hash of list of known values. output is on the card .. you compare the values you have against what they gave you and see if it matches. The salt is unique per card. You buy them in bulk and you get a list of serial numbers = card ID .. usually there's QR so you can do it somewhat easily via your crediantialing office (make someone else do that BS, it's big numbers).
In Cas it's like any other plugin. The value of the current card and salt is stored in (somewhere) and identifiable by (something) like the DN. It looks up both, just like how the others work. IIRC you can also do it via API but that's a bad dependency if it's not you running it, and why bother if it's you.
Michael Holstein CISSP
Cleveland State University
Sent: Thursday, March 15, 2018 9:44:29 AM
To: CAS Community
Subject: [cas-user] Google Authenticator - scratch codes
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c000a5a2-a3d2-40e2-ac19-27f521f3155f%40apereo.org.
Michael O Holstein
Forgot the salient bit.
The user it's typically like a lottery ticket, but need not be. You say "provide the code for #56 on your card" and they run their finger down the list and type that in. When they get to ~85% of the numbers you mail them a new card. You can also do it electronically but that kind of defeats the point. Lots of companies make these, just google "OTP scratch card"
-Mike.
Sent: Thursday, March 15, 2018 9:57:17 AM
To: CAS Community
Subject: Re: [cas-user] Google Authenticator - scratch codes