This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
One-time password device tokens
One-time password device tokens

Version management

Difference between version and

At line 1 added 24 lines
!!! Overview
A [{$pagename}] or [OTP] is a [Token] that is typically a personal hardware device or software application that generates "[One-Time password]" for use in [Authentication]. The device may or may not have some kind of integral entry pad, an integral biometric (e.g., fingerprint) reader or a direct computer interface (e.g., USB port).
The passwords, according to [NIST] as described in [NIST Electronic Authentication Guideline] shall be generated by using an Approved block cipher or hash algorithm to combine a symmetric key stored on a personal hardware device with a [nonce] to generate a [{$pagename}].
The [nonce] may be a date and time, a counter generated on the device, or a challenge from the verifier (if the device has an entry capability).
[{$pagename}] typically is displayed on the device and manually input to the verifier as a password (direct electronic input from the device to a computer is also allowed). The [{$pagename}] must have a limited lifetime, on the order of minutes, although the shorter the better.
* [{$pagename}] are [passwords] that are valid for a single login or transaction.
* [{$pagename}] can be generated based on an algorithm that derives each next [password] from the previous one, or by using some sort of challenge-response mechanism.
* [{$pagename}] can be generated based on use a shared secret, called a seed, along with some dynamic value such as a counter or a value derived from the current time.
* [{$pagename}] generation based on a shared seed is usually fairly easy to implement, the dynamic values at the [{$pagename}] (called a prover) and the verifier (authentication server) can get out of sync and validation algorithms need to account for that.
Many [{$pagename}] schemes are proprietary and incompatible with each other.
Fortunately, widely adopted open standards exist as well, most notably the
* [HMAC-based One Time Password Algorithm|HMAC-based One-Time Password Algorithm] ([HOTP])
* [Time-based One-time Password Algorithm] ([TOTP])
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|target='_blank'] - based on 2013-04-10
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop