I recently implemented TOTP authentication[1] for a webapp of mine. Then I decided to extract it into its own web service offering.

http://www.totp.me

I felt TOTP auth was one of those things that's easy to do insecurely, just as storing passwords salted and hashed correctly is.

This is the crappy V1. I'm trying to get a sense of whether this is a pain point for anyone and to keep at it.

The service doesn't give you very much control. You redirect your website's users to it for authentication or master secret provisioning, and it redirects them back to you when done with a pass/fail response. I wanted security mistakes during integration to be difficult to make.

[1] http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm