Paper-based TOTP tokens
Enterprise policies are different, and in some cases weird. In this article, we will describe a very unusual problem raised by one of our customers. In a nutshell, the organization does not allow bringing any devices onsite, no smartphones, no mobile phones, and even no hardware tokens are allowed on-premises. At the same time, the organization is using Office 365 services from Microsoft and has enforced multifactor authentication for all users to be activated.
To address this issue, our research and development team has spent some time and found a solution, which is a paper-based TOTP token. We are hereby presenting the solution, which is available for free (well, if you don’t count the paper and ink cost).
Our solution is a web-based tool that generates the list of one-time passwords (OTPs) for an arbitrary seed. The list can be printed out and handed over to the end-users to serve as their second factor for authenticating in Azure AD with multi-factor authentication enabled. To associate this paper TOTP token with a user, you can follow the same procedure as with the regular TOTP tokens.
The procedure is simple, you enter the seed and click on submit to get the list generated. You will get a printable list similar to the one shown below for the next few days. By changing the number of future OTPs you can make the list longer or shorter.
The example below shows the generated list of 1500 OTPs with a step increment of 20. This makes 2 A4 paper sheets, enough to have the second factor available for about a week.
The tool has additional settings, primarily to save paper — you can select the OTPs to be generated for working hours only. There is also a possibility to print way fewer OTPs by increasing the step increment value — you can adjust this setting to print only a couple of OTPs per hour for example and instruct the users to log in only during those time windows.
This article may look like a joke, but it is a fully functional tool that can serve as a replacement for TOTP hardware or software tokens. Using this in production would be a joke.