One-Time Password example for PHP developers

Download: PHP-One-Time-Password-example.zip (3 Kb) (Source code included)

Fields of applications

If you wish to setup a secure and well-functioning system then you need to pay attention to the accessibility of your corporate data. Passwords are widely used to protect important data both in everyday and in business life. Though several problems can occur with these passwords. Employees write them down, lose them, forget them or send them in email. In such inconvenient cases, passwords are no longer able to function as security items. On the other hand, if you apply long and difficult passwords then nobody will be able to remember them. There is the same case if you change corporate passwords too often. All in all, static passwords are not able to provide high level security.

The solution is if you add SMS functionality to your corporate IT system with a powerful SMS gateway such as Ozeki NG SMS Gateway. With this SMS functionality you can introduce one-time passwords. These one-time passwords are sent to the mobile phones of users as SMS messages. So if authenticated users wish to login they need to provide this sent password. This effective method makes two-factor authentication possible. Two factor authentication means, that a user types in his password, then he receives an SMS text message to his mobile phone with a one-time security code and he needs to enter it to complete the authentication. This solution makes your IT system secure as users can enter the system only with the use of these one-time passwords. The life time of these passwords are quite short and if they are not used for some reason then they expire automatically. With this functionality you can ensure that no unauthorized person get access to your corporate data.

Prerequisites

In order to setup this solution you need to find a way to connect your system to the mobile network. You can do this by using an Internet connection or you can setup a wireless connection by attaching a GSM phone/GSM modem to your computer. To help you make a decision, we have prepared a webpage for you: Internet based SMS connections vs. GSM modem based (wireless) SMS connections. Depending on what you select, you need the following prerequisites.

Prerequisites for Internet based connection to the Mobile network

If you wish to connect your system to an SMS service provider over the Internet you need the following components:

Figure 1/a - Prerequisites for Ozeki NG SMS Gateway IP SMS connection

In this case you need to find an SMS service provider who can reach the mobile phones in your area. This SMS service provider should be able to provide SMS service through the Internet. To find such a provider, you can check our website where we list some of them: SMPP SMS Service providers. Once you have found such a provider, you need to sign up for their service to get the connection parameters. You can use these parameters to configure your Ozeki NG SMS Gateway software.

Prerequisites for wireless (GSM modem) connection to the Mobile network

If you wish to connect your system to the mobile network wirelessly, you need a GSM modem or GSM phone, that you can attach to your computer with a data cable. In this case your Ozeki NG SMS Gateway software will operate this phone and will send and receive SMS messages wirelessly. To setup this connection method, you need the following components:

Figure 1/b - Prerequisites for Ozeki NG SMS Gateway GSM modem connection

	SIM Card - You can get this from your local mobile network operator.*
	Modem - Use a Wavecom, Siemens or Multitech modem.
	Data cable - Comes with the modem
	Computer - Recommended: Intel P4 3Ghz, 2GB RAM, 500MB HDD, Windows OS
	Ozeki NG SMS Gateway - Download it from http://www.sms-integration.com
	AppServ

Ozeki NG SMS Gateway can be obtained by opening the download page: Download Ozeki NG SMS Gateway!

System architecture

If you meet the above mentioned system requirements, you can start to setup your SMS system to send one-time passwords. It will work as follows: First you need to log into your PHP site with a username and password. After this login the PHP script sends your one-time password to the phone number that is assigned to your username through Ozeki NG SMS Gateway. A site will appear with a form in which you need to type in the sent one-time password. If you provide your password properly, you can enter the protected site. The SMS gateway forwards the one-time password to the mobile network with the help of a GSM modem attached to the computer or it connects directly to the SMS center of the mobile service provider. You can examine how to send one-time passwords with Ozeki NG SMS Gateway in Figure 1.

Figure 2 - Ozeki NG SMS Gateway - solution for how to send One-Time Passwords via PHP

Please note that it is more secure to send the one time passwords using a GSM modem through the airwaves to the recipient, than through an Internet based SMS service provider account, because it is significantly harder to intercept an SMS message traveling through the air, than it is to intercept internet traffic.

How to implement this solution

To send one-time passwords via PHP with Ozeki NG SMS Gateway, you need to do the follows. First download the PHP source code. Save it into your webserver and after you save it, you can use a browser (Internet Explorer or Firefox) to open it. A form will appear in which you need to provide your username and password. After the login a one-time password will be generated and sent to you. An other site is opened and here you need to provide the sent password.

Download: PHP-One-Time-Password-example.zip (3 Kb) (Source code included)

PHP OTP example code:

<?php ################################## ##     OZEKI ONE-TIME PASSWORD EXAMPLE     ## ################################## ################################## ##         STARTING THE SESSION AND THE        ## ##         SESSION EXPIRES IN 6 MINUTES          ## ################################## session_start(); session_set_cookie_params(360); ################################## ##      USERNAME AND PASSWORD ARRAYS      ## ################################## $user = array( 'user1' => 'qwe123', 'scott' => 'tiger', 'john' => 'pinball', ); $phone = array( 'user1' => '+36301234567', 'scott' => '+36202222222', 'john' => '+36707777777', ); ##################################### ##   Login information for OZEKI NG - SMS Gateway  ## ##################################### $ozeki_user = "admin"; $ozeki_password = "abc123"; $ozeki_url = "http://127.0.0.1:9501/api?"; ################################### ##     Functions used to send the SMS message    ## ################################### function httpRequest($url){ $pattern = "/http...([0-9a-zA-Z-.]*).([0-9]*).(.*)/"; preg_match($pattern,$url,$args); $in = ""; $fp = fsockopen("$args[1]", $args[2], $errno, $errstr, 30); if (!$fp) { return("$errstr ($errno)"); } else { $out = "GET /$args[3] HTTP/1.1\r\n"; $out .= "Host: $args[1]:$args[2]\r\n"; $out .= "User-agent: Ozeki PHP client\r\n"; $out .= "Accept: */*\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); while (!feof($fp)) { $in.=fgets($fp, 128); } } fclose($fp); return($in); } function ozekiSend($phone, $msg, $debug=false){ global $ozeki_user,$ozeki_password,$ozeki_url; $url = 'username='.$ozeki_user; $url.= '&password='.$ozeki_password; $url.= '&action=sendmessage'; $url.= '&messagetype=SMS:TEXT'; $url.= '&recipient='.urlencode($phone); $url.= '&messagedata='.urlencode($msg); $urltouse = $ozeki_url.$url; //if ($debug) { echo "Request: <br>$urltouse<br><br>"; } //Open the URL to send the message $response = httpRequest($urltouse); if ($debug) { echo "Response: <br><pre>". str_replace(array("<",">"),array("<",">"),$response). "</pre><br>"; } return($response); } ###################################### ##   FUNCTION TO GENERATE ONE-TIME PASSWORD   ## ###################################### function ozekiOTP($length = 8, $chars = 'abcdefghijklmnopqrstuvwxyz1234567890') { $chars_length = (strlen($chars) - 1); $string = $chars{rand(0, $chars_length)}; for ($i = 1; $i < $length; $i = strlen($string)) { $r = $chars{rand(0, $chars_length)}; if ($r != $string{$i - 1}) $string .= $r; } return $string;} ########################################## ##   IF DEBUG VARIABLE IS TRUE, THE RESPONSE OF THE   ## ##     HTTP REQUEST WILL BE WRITTEN TO THE SCREEN     ## ########################################## $debug = false; #################################### ##    IF NOT POSTED ANYTHING YET, THE LOGIN    ## ##                     PAGE IS LOADING                       ## #################################### if (empty($_POST)){ $i=0; echo(' <html> <body> <h1>One Time Password Form</h1> <form method="POST"> <table border=1> <tr> <td>Username:</td> <td><input type="text" name="username"></td> </tr> <tr> <td>Password</td> <td><input type="password" name="password"></textarea></td> </tr> <tr> <td> </td> <td><input type=submit name=submit value="Get Otp" OnClick="ozekiSend(this.form);"></td> </tr> </table> </form> </body> </html>');} ####################################### ##      IF OTP HAS POSTED YET, ozekiOTP FUNCTION     ## ##                        WILL GENERATE ONE                      ## ####################################### if (empty($_POST['otphtml'])){ $_SESSION['otp']=ozekiOTP(); ############################# ##     CHECKING USER CREDENTIALS     ## ############################# if ($password!=$user[$username] || ((empty($_POST['username']) && (!empty($_POST['password'])))) || (empty($_POST['password']) && (!empty($_POST['username'])))) echo ('Please enter a valid username or password!'); elseif ((!empty($_POST['submit'])) && (empty($_POST['password'])) && (empty($_POST['username']))) echo ('No username or password entered'); elseif($password=$user[$username]){ ################################### ##    SENDING THE PASSWORD AND LOADING     ## ##               THE OTP-VERIFYING PAGE               ## ################################### ozekiSend($phone[$_POST['username']],'Dear '.$username.'! Your One-Time password is: '.$_SESSION['otp'],$debug); echo (' <html> <body> <h1>Please enter your One-Time password to enter the site!</h1> <form method="POST"> <table border=1> <tr> <td>Your One-time password:</td> <td><input type="text" name="otphtml"></td> </tr> <tr> <td> </td> <td><input type=submit name=submit value="Confirm OTP"></td> </tr> </table> </form> </body> </html>'); }} else{ ############################################ ##   IF AN OTP HAS ALREADY SENT, CHECKING ITS VALIDITY   ## ##        AND REDIRECTING TO THE PROTECTED CONTENT        ## ############################################ $ozotp=$_POST['otphtml']; include('protectedcontent.php');} ?>

After you have provided your received one-time password, you will be redirected to the protected content with the help of the include () function. The following PHP code shows the protected PHP content.

<?php ############################### ##          IF YOUR OTP IS CORRECT,           ## ##   THE PROTECTED CONTENT APPEARS    ## ############################### if ($_SESSION['otp']==$ozotp){             echo('<html>          <body><h2>You\'ve been successfully verified your One-Time Password</h2></body>         </html>');}       ################################# ##              IF YOUR OTP IS INCORRECT          ## ##        YOUR REQUEST WILL BE DENIED         ## ##   AND "WRONG PASSWORD" WILL APPEAR  ## ################################# else { echo('<html>         <body><h2>Wrong Password!</h2></body>         </html>');}                            ?>

Conclusion

To summarize the above mentioned, it is the best solution if you use Ozeki NG SMS Gateway to send one-time passwords from PHP. This functionality is based on two factor authentication which makes it possible to setup a high secure IT environment. Due to SMS technology, your one-time passwords are sent as SMS messages to further increase security as only the intended people will receive them. In this way no unauthorized person gain access to corporate data. You can still improve reliability and security of this SMS system if you apply a GSM modem attached to the computer with a data cable. This GSM modem connectivity is more secure than sending SMS messages over the Internet. If you decide to implement this solution you will get a stable, reliable and effective authentication system with the highest quality.

• If you have not downloaded Ozeki NG SMS Gateway, you can do it now if you go to our product pages.
• If you wish to learn more about connection possibilities, please go to GSM modem vs IP SMS connection page
• Please find how to benefit from implementing SMS solutions in your business on SMS solutions for businesses page
• FAQ
• Feature list of Ozeki NG SMS Gateway
• User Guide for Ozeki NG SMS Gateway
• Product manual

Request more information

If you are interested in this solution, let us know, so we can send you more relevant information and quotation with prices. Please fill in the following form: