One-Time Password Generator

security

Definition

One-Time Password Generator

A one-time password generator is a mechanism by which the user and the authentication server compute a password on the fly during the authentication process.

Cryptographic algorithms — hash functions or encryption schemes — are used to generate short-lived one-time passwords.

Properties

Time-Dependent

The value of the one-time password generally depends on the time at which it is generated.

Computation on User Side

On the user’s side, the password is computed on specialised hardware (hardware tokens) or by generator apps installed on a smartphone.

Implementations

Hash-Based

$$\text{OTP}=h(\text{Time}\Vert S_X)$$

where $h$ is a hash function and $S_X$ is a user-specific secret.

Encryption-Based

$$\text{OTP}=\mathrm{Enc}(S_X,\text{Time})$$

where $\mathrm{Enc}$ is a symmetric encryption scheme with key $S_X$.

Secret Derivation

User-Specific Secret

Both user and server share the user-specific secret $S_X$. To avoid storing a separate secret for every user, $S_X$ is typically generated by combining some user-specific information with a master key — for example, by hashing the concatenation of the username and the master key.

Validation

Server Verification

The server computes multiple candidate one-time passwords (for example, those generated in the last five minutes) and accepts the authentication if any of these matches the value provided by the user.