Implement extension for logging in with OTP

[Nicklas Nordborg]

Inspired by ​https://freeotp.github.io/ which is a standard way of generating one-time password codes. The codes would make it harder for an attacker to access an account if the regular password is lost. The login form need to have three fields (currently not supported by BASE).

The extension need a way to store the secret key in the BASE database. This can already be done using the "extended properties" mechanism. The drawback is that this information is displayed in the web interface which is not so good. We either need to store the secret key in some other place or we need to implement support for "hidden extended properties" in BASE.

Initial setup is maybe the most challenging issue. The user should be able to enable OTP and generate a secret key in some way. The level of enforcement should be configurable by the server admin. We need at least:

• Be able to specify applications that should never use OTP at all (for example, it is not possible with the FTP server extension).
• Be able to specify applications that are required to use OTP (inluding the web client).
• To enable new users to setup OTP in the case the web client is locked down the extension should implement a special "Create OTP" page where the user can set this. It's is kind of a separate login page that can only be used once.
• The server admin should be able to reset (=remove) the stored secret key. If this is initiated by a request from the user it is important that the identity is verified, since otherwise a hacker that happens to get hold of the password could ask for a reset and then generate a new OTP locking the real user out.

Links:

• The TOTP specification allows for different hashing algorithms (SHA1, SHA256 and SHA512). It seems like many implementations only support SHA1. Is there any downside to this and should we spend time to support more than SHA1? I think not... ​https://www.quora.com/Why-is-the-SHA1-algorithm-still-being-used-with-2FA-codes-instead-of-SHA2

[Nicklas Nordborg]

(In [4845]) References #1055: Implement extension for logging in with OTP

Adding Eclipse project files and some additional source code folders.

[Nicklas Nordborg]

(In [4846]) References #1055: Implement extension for logging in with OTP

Adding some code, the build file and some other requried files (META-INF folder) to make compilation and packaging work.

[Nicklas Nordborg]

(In [4847]) References #1055: Implement extension for logging in with OTP

Proof-of-concent code. Basic structure is inspiered by the YubiKey extension. The password field has been replaced with an OTP field. The secret key is currently hard-coded and all user can log in with the same OTP generator.