One-time password
Introduction
A one-time password (OTP) is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the OTP requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).
Overview
The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it is no longer valid. On the downside, OTPs are difficult for human beings to memorize. Therefore, they require additional technology to work.
Types of One-Time Passwords
There are several ways to generate OTPs. Some methods use pseudorandomness or randomness, making prediction of successor OTPs by observing previous ones infeasible. The OTPs have a defined validity period after which they expire.
Time-Synchronized
A time-synchronized OTP is usually related to a piece of hardware (such as a security token) that the user possesses. This token may be a dedicated device, or a general-purpose mobile device running suitable software. The device generates OTPs from a shared secret key and the current time. The OTP is valid for a short period of time around the time of generation.
Mathematical Algorithm
A mathematical algorithm OTP is generated by applying a mathematical algorithm, such as a hash or a cryptographic function, to a shared secret key and a moving factor. The moving factor may be a time-synchronized value, a counter, or a challenge value.
HMAC-Based
HMAC-based OTPs (HOTP) are an event-based variation of OTP, where the moving factor is a counter. The counter is increased while generating each OTP. The OTP is generated by computing a cryptographic hash function (HMAC-SHA1) of the counter value with a secret key.
Time-Based
Time-based OTPs (TOTP) are a time-variant version of HOTP, where the moving factor is an interval of time. The OTP is generated by applying a cryptographic hash function to the shared secret key and the current time interval.
Challenge-Response
A challenge-response OTP is generated by applying a cryptographic function to a shared secret key and a challenge value. The challenge value may be a random value or a value derived from the transaction context.
Applications
One-time passwords are widely used in online banking and other services where high security is deemed necessary. They provide additional security to the traditional username/password by ensuring that, even if a user's static password is compromised, it cannot be used to gain unauthorized access to their account.
Security Considerations
While one-time passwords are a significant improvement over static passwords, they are not without their own set of security considerations. For instance, if the device used to generate the OTP is compromised or stolen, the OTP is no longer secure. Additionally, if the shared secret key used to generate the OTP is compromised, all OTPs generated using that key are compromised.