Customization of MAC OS Credential Manager

We need modification to how the authentication takes place in MAC Operating System, just like Win7 works on the concept of Windows Credential Manager as opposed to [login to view URL] in XP and lower versions. We basically want to add another level of authentication to the Windows Logon wherein the user has to enter a One Time Passowrd (OTP) apart from his Active Directory (AD) password. This OTP will be verified by our server whereas the PAssword will be veirifed by AD (in case of windows). IF AND ONLY IF both the credentials are correct will the user get the access. Currently the user logs in as follows - 1). Select the username+Password+Active Directory DOmain to authenticate (in windows, we require it for MAC OS) We need the following setup - 1). On the initial screen user gets the option of - a). Accessing the last Active Directory domain he successfully logged on to. b). USe Other Credentials 2). User selects eithe rof "a" or "b" depending upon whether he wants to acces sthe last domain or he wants to access a new domain 3). On the next screen user get the prompt for UserName and Password 4). User enters Username in the format <Username>@<Domain> or <Domain>/<UserNAme> and enters the [login to view URL] will send the password to AD for verification (this is for windows) but will not give access to the user right away. Whether the PAssword is corerct or not he will NOT be intimated at this step. 5). We will first check whether the domain entered is configured for OTP verification or not. In case NOT then the suer will get direct access to teh system provided his passowrd for AD or Local System (<This computer> option) is correct. In case the domain is configured for OTP verification AND THE USER EXISTS following will happen - a). A new screen will come asking for users OTP. b). User will enter the OTP he has c). This OTP has to be verified by our server using a web service call . This call will hve the following featutres - i). The call will be HTTPS ii). The call will have the following format - https://www.<authserver>.com/xyzabc?Username=<Username>&Password=<OTP>&ApplicationID=WindowsLogon iii). The call will return the following values - -> TRUE - OTP is correct -> OTP is incorrect - OTP is incorrect -> User not found -> User is Locked THIS CALL WILL ONLY BE PROCESSED IF THE PASSWORD ENTERED IN STEP 4 IS CORRECT. OTHERWISE THE USER WILL GET THE SCREEN FOR OTP BUT HIS OTP WILL NOT BE PROCESSED. THE REASON BEHIND DOING THIS IS THAT WE DO NOT WANT THE USER TO EVER KNOW WHETHER HIS AD PASSWORD WAS INCORRECT OR HIS OTP WAS INCORRECT. HE WILL ALWAYS ENTER BOTH THE VALUES BUT WILL NEVER KNOW WHICH WAS INCORRECT d). If the return values is - 1). TRUE - If the UN+PWD entered in step 4 is CORRECT and the OTP returns TRUE, user will get access to the system 2). TRUE - If the UN+PWD entered in step 4 is INCORRECT user will NOT get the access and will get the following message - "Eitehr the password or the OTP enterd was incorrect. Please try again" User will be redirected to step "1)." 3). OTP is incorrect - User will get the following message - "Eitehr the password or the OTP enterd was incorrect. Please try again" User will be redirected to step "1)." 4). User is Locked - Alert the user that his account ahs been locked on the Authentication Server. Also in case the account is locked at AD level he will be alerted that his account is locked on AD level. 6). User not found - Alert the suer his account is not configured for OTP verification and ask him to contact the system administrator e). THIS FUNCTIONALITY IN ITS ENTIRETY IS REQUIRED FOR "Ctrl+Alt+Del" scenario as well. In otehr words if the user locks his screen he should go through the entire process all over again. This solution is required for - Client - MAC OS Server - Need Suggestions Skills Required: MAC operating-systems, web-services, c++, Objective C