Production-ready One-Time-Password (OTP) Library?

Hello folks,

I am currently learning rust and really enjoying everything so far :slight_smile: Most intriguing are the almost unbelievably fast web servers you are able to build with rust. I am currently interested in a production-ready (meaning battle-tested & correct) One-Time-Password (OTP) library. Security is of the utmost importance, the library should be reliable if I manage yo implement it correctly.

I don't want to sound to all-demanding or arrogant, I am very curious about the current state-of-art in Rust and very happy to contribute to a crate if there is no mature implementation.

Currently I have found out about these three libraries:

I have no idea and experience in how to look for rust crates. I am probably being an idiot in not finding the best ones here.

Anyhow, any help is appreciated. Thank you.

Recently I wrote CLI utility to get my OTP password for github from console.
In scope of it I have to create my own crate https://crates.io/crates/otpshka because at the time most libraries were some mess

It is very minimal crate that only implements password generation itself as per RFC.

When it comes to reliable library you have to inspect code itself.
rust-otp looks something simple too

1 Like

Thank you for your answer! :slight_smile:

Your crate looks nice, but I was looking for something that has been deployed to production before.

Trussed might be something for you.
They say it's "very much WIP" but I guess this statement is only about API-stability as it is actually used in (security-) products.

In the announcement blog post they say that both Solokeys and Nitrokey are invested in this so it seems unlikely that it will be abandoned any time soon.

1 Like

Thanks, I looked into that and that seems like something that I am looking for.

In the meantime, I have found multiple rust repositories that are relevant for crypto stuff: Rust Crypto ยท GitHub

I do not think you'll be able to find library that is already deployed in production.
OTP is very simple algorithm, it doesn't even require having a separate library so you might as well implement it yourself.

For cryptographic algorithms I suggest to use ring rather than rust-crypto

1 Like