We’ve built a two-factor authentication process for our web application. We’ve built a small standalone app that generates an 8 digit security code every minute. When a user logs in they are prompted for the security code. When submitted the web app, generates the security code on it’s end and compares it to the security code entered. If the two are equal then the user is allowed into the application. This is used like an RSA token.
However, I am using atomic clock servers to make sure the security code generation is the same for both the USB app and the web app as time zone and clock syncing poses an issue. This is a pain not only because the servers can sometimes be unreliable, but we also have to add in firewall rules to allow us to hit the specific atomic clocks. Is there a secure way to do this without using a remote atomic clock?
You don’t need precise clock, but rather the same value. So expose some sort of “current time” service from the same web app (i.e. basic HTTP get “/currenttime” with JSON response) and query it from the USP app . In this case you only will need to synchronize time between servers serving the app (if you have more than one).