How do I generate One time passwords (OTP / HOTP)?

Question

We have decided to start work on Multi-factor authentication, by way of releasing an iPhone, Android and Blackberry app for our customers.

Think Google Authenticator\'s

Answer 1

Well, it doesn't have to be unique. It just has to have a fair bit of entropy. Meaning that the chances of getting the same string are fairly low.

One way of doing this is taking your hash and cutting off a certain number of integers:

var hash = sha1(salt + device + secretKey);
var numbers = base_convert(hash, 16, 10); // Convert hex string to a integer
var key = numbers % 100000; // Limit to 5 digits (you can change this on need)

Just remember to left pad the number out so that it starts with literal 0 if it's too short.