I recently implemented TOTP authentication[1] for a webapp of mine. Then I decided to extract it into its own web service offering, because I thought it was one of those things that was easy for people to implement insecurely if they weren't careful.

This is the V1. I'm trying to get a sense of whether implementing TOTP auth is a pain point for anyone and to develop this project further.

The way it works is that you redirect your website's users to it for authentication or master secret provisioning, and it redirects them back to you with a pass/fail response when done.

[1] http://en.wikipedia.org/wiki/Time-based_One-time_Password_Al...

Why don't you open source the code instead? Then sell it as a service that you support.

Is there a demo (or video) of how your TOTP service would work? I'm having a difficult time visualizing the flow and requirements.

Yes, under the fourth tab on the website.

Is there a description somewhere for how they're handling the security of secret keys on their end?

Also, it looks like the libraries are only offered as tarballs and are being served over HTTP?