How you can protect your Drupal account login if you have to access your site from all kind of hostile locations? Even if you do it over HTTPS, a "bad dude" can look over your shoulder and steal your password. The only real answer is to employ some sort of a multi-factor authentication and/or an authentication that rely on one-time passwords. I was not able to find anything readily available, so I decided to create a new module. FACTOR TWO is the result of my efforts.
FACTOR TWO (F2) is the combination of a Drupal 7 module and an HTML5 mobile application (implemented with Sencha Touch). F2 provides a two factor authentication to any Drupal 7 web site. If the F2 module is enabled for a given Drupal account, it becomes necessary to provide one additional piece of information ("factor") in order to login to this account. "Factor" could be provided either automatically by pushing single button on the F2 Mobile App or it could be entered manually (along with login and password). You can take a look at this video to get a better idea of what the F2 is and how to use it.
The idea is quite simple. During a setup phase a random pin number gets generated and shared between the Drupal F2 module and the F2 Mobile App.
On each side (Drupal and Mobile App), SeedHash() function gets applied to the pin to produce an initial generation of the key. During each login attempt, the new generation of the key gets produced by applying Hash() function.
When it is time to login, a predefined sub-set of the current generation of the key becomes the "factor". If the "factor" generated on the web server side(by Drupal module) matches with the factor generated on the Mobile App side, then the person can login.
Due to the fact that only a portion of the key is used as the factor ( == travel over wild internet ), it is not important to keep the "factor" secret. Even if it gets intercepted it can not be reused and it will not provide enough information to help the "bad dude" to "guess" the key.
Any kind of hash function could be employed. The current implementation of F2 uses SHA256 (on Mobile App side I am using code from the brilliant crypto-js project ). SeedHash() function uses current time to "salt" an initial pin and then use Hash() to produce an initial key. One important side effect of this is that you have to have the machine clock on your Drupal site to be reasonably accurate ( F2 should be OK as soon as the clock difference between the Drupal site and your phone is less than 1 min).
Share and enjoy!