SMS based one-time-passwords (OTP) provide an inexpensive, easy to use 2-factor authentication scheme. OTP's are generated and delivered to the user's cell phone (or to any other valid email address). The user then enters the OTP to complete authentication. We learned a great deal about OTP systems after the first release of IIS-OTP. The current release if otpimized to run along side the most often used Windows's authentication scheme: Basic Auth authenticated against Windows or Windows AD accounts.

From customer experience we found that the easiest and fastest way to handle the sms-email address data was within IIS-OTP's own, internal database. IIS-OTP maps Window'/AD username to the user-specified address. This mapping does not occur at all until Windows/AD authentication has taken place. Users cannot 'spoof' the system (accidently or on purpose) into mis-identification. The locks down overall system integrety, assuring one authenticated user cannot 'step-on' another user's data.

2-factor authentication has proven to be very effective is securing web content. Most of what is available today are external devices that generate an OTP for verification on a proprietary server. Though effective, there is a substantial cost associated with the implimenation of this scheme. Further, the user must learn to use and keep up with a new piece of hardware. 

An SMS based scheme offers several advantages. Most importantly, it requires no additional devices. Users already have cell phones. Further, they are familiar with the security mechanisms to prevent unauthorized use. This means the system requires NO ADDITIONAL HARDWARE to impliment. 

From the user's point of view, authentication occurs as follows: 
 

This Generate/Enter OTP asp page may optionally include links to other pages. As shipped it contains a link to the 'update sms address' asp page. First time access to the system is most conveniently facilitated by use of an 'admin generated otp' that is good for an admin specified time limit. The admin could, for instance, create a single otp that was good for 3-days so all new users would use the same one. Upon session establishment, the new user should immediately set/update his sms address.