Overview#A One-time password device tokens or OTP is a Token that is typically a personal hardware device or software application that generates "One-Time password" for use in Authentication. The device may or may not have some kind of integral entry pad, an integral biometric (e.g., fingerprint) reader or a direct computer interface (e.g., USB port).
The passwords, according to NIST as described in NIST Electronic Authentication Guideline shall be generated by using an Approved block cipher or hash algorithm to combine a symmetric key stored on a personal hardware device with a nonce to generate a One-time password device tokens.
The nonce may be a date and time, a counter generated on the device, or a challenge from the verifier (if the device has an entry capability).
One-time password device tokens typically is displayed on the device and manually input to the verifier as a password (direct electronic input from the device to a computer is also allowed). The One-time password device tokens must have a limited lifetime, on the order of minutes, although the shorter the better.
- One-time password device tokens are passwords that are valid for a single login or transaction.
- One-time password device tokens can be generated based on an algorithm that derives each next password from the previous one, or by using some sort of challenge-response mechanism.
- One-time password device tokens can be generated based on use a shared secret, called a seed, along with some dynamic value such as a counter or a value derived from the current time.
- One-time password device tokens generation based on a shared seed is usually fairly easy to implement, the dynamic values at the One-time password device tokens (called a prover) and the verifier (authentication server) can get out of sync and validation algorithms need to account for that.
Many One-time password device tokens schemes are proprietary and incompatible with each other.
Fortunately, widely adopted open standards exist as well, most notably the
More Information#There might be more information for this subject on one of the following:
- [#1] - http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/ - based on 2013-04-10