The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced.

There are basically five types of one-time passwords: the first type uses a mathematical algorithm to generate a new password based on the previous, a second type that is based on time-synchronization between the authentication server and the client providing the password, and a third type that is again using a mathematical algorithm, but the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password. Another type uses a list of passwords printed on paper. Yet another type uses cell phones as an out-of-band method for transmitting one-time passwords.

## Implementation of a mathematical algorithm type OTP

One approach, credited to Leslie Lamport, uses a one-way function (call it f). The one-time password system works by starting with an initial seed s, then generating passwords

f(s), f(f(s)), f(f(f(s))), ...

as many times as necessary. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted. Each password is then dispensed in reverse, with f(f(...f(s))...) first, to f(s).

If an intruder happens to see the one one-time password, he may have access for one time period or login, but it becomes useless once that period expires. To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse function f-1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is (so far as is known) a computationally infeasible task.

## Implementation of a time-synchronized type OTP

RSA SecurID tokens.

The time-synchronized one-time passwords are usually related to physical hardware tokens (e.g., each user is given a personal token that generates a one-time password). Inside the token is an accurate clock that has been synchronized with the clock on the authentication server. On these OTP systems, time is an important part of the password algorithm since the generation of new passwords is based on the current time rather than the previous password or a secret key.

Mobile phones and PDAs can also be used to generate a time-synchronised one-time password. This approach could be a more cost effective alternative since most Internet users already have mobile phones. Additionally, this approach could be more convenient since the user would not need to carry around a separate hardware token for each security domain to which he or she requires access.

Entrust IdentityGuard Mini Token

## Implementation of a challenge type OTP

The use of one-time passwords (OTP) require a user to provide a time-synchronized challenge to be properly authenticated. This can be done by inputting the value into the token itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually involve the previous one-time password as this would lead to synchronization problems. EMV is starting to use such a system (called "Chip Authentication Program") for credit cards in Europe.

## Implementation of a transaction authentication number type OTP

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions.

In a typical TAN system, a customer goes to his bank, identifies himself. The bank prints out, on paper, a numbered list of 50 unique randomly generated passwords (e.g. 6-digit numbers), and gives it to the customer. Once home, the customer "signs" an online banking transaction with the password (TAN) belonging to the requested list number, and crosses it out. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected. The submitted TAN has now been consumed and will not be recognized for any further transactions.

## Implementation OTP over SMS

A common technology used for the delivery of OTPs is short message service (SMS). Because SMS is a ubiquitous communication channel, being available in all handsets and with a large customer-base, SMS messaging has the greatest potential to reach all consumers with a low total cost of ownership. Tokens, smart cards and other traditional authentication methods are more costly to implement, pricey to maintain and frequently resisted by consumers. They are also vulnerable to man-in-the-middle attacks, in which phishers hijack online sessions by tricking customers into providing one-time-PINs generated by tokens or smart cards. Also tokens can be lost, and integrating OTPs into mobile might be[who?] more secure and simpler, because consumers do not have to carry an extra portable device.

## Comparison of technologies

There are some obvious cost-saving benefits to time-synchronized OTPs as users tend to generate a password and not use it or type it incorrectly. Doing so on an OTP system that is not time-synchronized will cause the client to become unsynchronized with the authentication server; the result of this is the added expense of re-issuing new clients. Alternatively, the server needs to take that issue into account (by ignoring bad passwords and by accepting any out of the next e.g. ten passwords, instead of just the next one, possibly also by adding a resynchronisation mechanism), so there is an extra effort in implementation, which might e.g. affect the price of the server system, but can avoid synchronization problems.

On the other hand, there are some obvious cost-saving benefits to non time-synchronized OTPS as the hardware token does not need a clock, so it especially does not need to be continually powered, so a battery should last much longer.

In sum, for a large installation, one would expect time-synchronized OTPs to be the more expensive choice, as any additional cost to the non-time-synchronized server should be outweighed by the more expensive and less durable individual tokens.

One-time passwords that are not time-synchronized are also vulnerable to phishing. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords (The Register article). However, even time-synchronized one-time passwords are vulnerable to phishing, if the password is used quickly enough by the attacker. This could be seen in 2006 by the attack on customers of a US bank (Washington Post Security Blog). Basically, the user of such a system must be aware that he is vulnerable to man-in-the-middle attacks and should never give his one-time passwords to any third parties. Whether or not the one-time passwords are time-synchronized is basically irrelevant for the degree of vulnerability. This is also true for the challenge-based one-time passwords, although here you need to slightly expand the mentioned attack on time-synchronized passwords to a full man-in-the-middle attack, while the one observed for the time-synchronized passwords is a very slightly simplified attack of that type.

Standardization is a good thing. Most good time-synchronized OTP technologies are patented and are not available for sharing with the general public. Mathematical algorithm type OTPs are a good substitute though, especially since many security specialists frown upon the principle Security through obscurity which is often used for the time-synchronized one-time passwords, while the other two types of one-time passwords can and often do rely on cryptographic algorithms that are commonly accepted as secure.

## Related technologies

More often than not, one-time passwords are an embodiment of a two-factor authentication solution. Some single sign-on solutions make use of one-time passwords. One-time password technology is often used with a security token.

## Specific OTP technologies

• ZyXEL Communications Corp., provides an OTP solution for two-factor authentication with their line of Unified Service Gateway security appliances.
• S/KEY is a seminal one-time password system developed at Bellcore (now Telcordia Technologies). S/KEY is described in RFC 1760.
• RSA SecurID originally developed by SDI.
• OTPW is a one-time password login package developed by Markus Kuhn at University of Cambridge
• OTP is a system based on S/KEY, but renamed because of trademark issues associated with the S/KEY name. OTP is described in RFC 2289.
• HOTP is an HMAC-based one-time password algorithm. It is a cornerstone of Initiative For Open Authentication (OATH).
• Gemalto, Gemalto OTP solution is called Strong Authentication Server (SA Server). Many form-factor devices (smart cards, connected or disconnected devices etc.) based on OATH can be used.
• VASCO, VASCO VACMAN server with Digipass product series (hardware Digipass tokens, virtual Digipass)
• 1Key Rho. Provide OTP key generation and management for the iPhone.
• Mega AS Consulting Ltd provides OATH TOTP based solution for two-factor authentication with their line of Cellular Authentication Token (CAT) for Cellulars and different operating systems.
• YubiKey developed by Yubico is a one-time password algorithm supported with open source software libraries
• OTPauth is an open source library for using One-Time Passwords for web sites as a second authentication factor.