Recently I started using a 2-factor authentication process to login into my email at work; initially I started using the SMS option as the 2nd step, but sometimes it could have taken as long as 10 minutes to arrive. Because of this I decided to switch to Google Authenticator which made my life a lot easier. You just download an app for your iPhone or Android (I think there is also one for Blackberry?) and sync it with your provider and then the app starts generating 6 digit codes that last 30 seconds and after that they will never be valid and you could never generate the same code again.
One day I didn’t notice that had my iPhone in airplane mode and launched the Google Authenticator app and, like any other day, it generated a code and I was able to login to my email. After noticing that the phone was in the airplane mode I started wondering how was this possible?, how an offline app was synchronized with an online authentication server? (Before all of this, I assumed the app was somehow in sync with the auth server via Internet, maybe using sockets?).
Of course my first reaction was to google “Google Authenticator”. After quickly reading the wikipedia page I understood that it uses a Time-based One-time Password Algorithm (aka TOTP) implementation to generate the codes. The TOTP algorithm uses the current time, a number of digits (length of the generated code), a time interval (valid life time for the generated code) and a shared key between the server and the client as the seed for the key generation; this is were the server and the client are synchronized, because they use the same shared key to generate/validate a code. (This is a really brief explanation on the matter, you can always read more about TOTP if you are interested).
This is all great, but why should I care? I’m not implementing a 2-factor authentication service!
Maybe you are not implementing a 2-factor auth service, but what if your mobile app generates promotions or coupons redeemable for a specific period of time? wouldn’t it be amazing if your mobile app could generate time-base codes that your back-end system could validate without them being synch via Internet (or any other network)?
Since the only thing (other than the pre-configured settings: current time, number of digits and time interval) that the TOTP algorithm uses is the shared key, you could use your users’ identifier as the shared key to validate the promo/coupon codes generated by your mobile app and voilà! you have a way to validate on your back-end system promotional codes generated in real time by your mobile app.
Even better, on top of the codes being generated in real time when the user actually redeems the promotion (or coupon), you have the protection agains users that try to redeem a code twice, because of two main reasons, every code will be unique to the user and after the code expires, there is no way to re-generate it.
There you go, you have a good way to generate promotion or coupon codes in real time that will live for a specific period of time and they they won’t ever be valid anymore. Plus you can validate them without having to generate them, uploading them into your back-end system and then sync your mobile app.
Let me know your thoughts on this.