One Time Passwords. Using OTP at Windows, Ubuntu and internet sites

OPIE Authentication System ("One time Passwords In Everything") works on most any BSD/Linux/Unix system - e.g. opie-server and opie-client packages under Ubuntu. It can be used e.g. in PAM authentication or for web servers. There are clients (at least) for Windows and MacOS also.

If a site is a "relying party" for some sort of federated authentication (e.g. OAuth, OpenID, Shibboleth, SAML) you can use OTP once to log in to an identity provider that supports it, and use what are essentially one-time credentials from them to log in to the site.

Some background:

Protocols: Radius, LDAP, SAML, OATH. Radius is great for internal use (ldap is more of a directory protocol than an auth, IMO) and the last two are designed for external/internet auth. Choose an internal protocol and then an external method. Limiting yourself in this way keeps it clean and helps you to learn.

First, ubuntu: that's easy. you just need to learn a little bit about PAM - the Pluggable authentication module. PAM supports a bunch of protocols. Build the library for your protocol and then edit the services files in /etc/pam.d/. So, sshd, login, su, sudo, whatever. Here's a doc on how to add two-factor authentication to SSH: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-secure-ssh-with-two-factor-authentication-from-wikid/. Just do the same for login, and you should be good. One caveat: leave a way to get in! You don't want to be locked out. This is one reason why most companies only worry about remote access and not local access.

Windows login: This means changing the windows login or GINA. Do this at your own risk as well. Check out the opensource pgina project. I tested this with WiKID using radius on windows xp a long time ago and it worked great. But none of our customers implemented this because of the risk of lock-out and potential support costs.

Websites: Increasingly companies are separating "login creds" from "accounts" and seeing that they can get more of the latter if they let someone else handle the former. Hooray. However, not all the authenticating parties are doing two-factor auth. Google is the only one. You may not be comfortable with google knowing your every login, though and you might want a server that you can control and use for other services too.

If so, our open-source version includes a plugin for GoogleSSO for Google Domains: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-wikid-strong-authentication-to-google-apps-for-your-domain/.

You could try a Yubikey (http://www.yubico.com/yubikey) as a reasonably priced alternative for the second of your problems, provided the site supports OAUTH. This is a OTP solution, keyed off an AES counter, that is implemented as a USB keyboard (so drivers are seldom needed).