<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
A [{$pagename}] or [OTP] is a [Token] that is typically a personal hardware device or software application that generates &quot;[One-Time password]&quot; for use in [Authentication]. The device may or may not have some kind of integral entry pad, an integral biometric (e.g., fingerprint) reader or a direct computer interface (e.g., USB port). 

The passwords, according to [NIST] as described in [NIST Electronic Authentication Guideline] shall be generated by using an Approved block cipher or hash algorithm to combine a symmetric key stored on a personal hardware device with a [nonce] to generate a [{$pagename}]. 

The [nonce] may be a date and time, a counter generated on the device, or a challenge from the verifier (if the device has an entry capability). 

[{$pagename}] typically is displayed on the device and manually input to the verifier as a password (direct electronic input from the device to a computer is also allowed). The [{$pagename}] must have a limited lifetime, on the order of minutes, although the shorter the better.
* [{$pagename}] are [passwords] that are valid for a single login or transaction. 
* [{$pagename}] can be generated based on an algorithm that derives each next [password] from the previous one, or by using some sort of challenge-response mechanism. 
* [{$pagename}] can be generated based on use a shared secret, called a seed, along with some dynamic value such as a counter or a value derived from the current time. 
* [{$pagename}] generation based on a shared seed is usually fairly easy to implement, the dynamic values at the [{$pagename}] (called a prover) and the verifier (authentication server) can get out of sync and validation algorithms need to account for that. 

Many [{$pagename}] schemes are proprietary and incompatible with each other. 

Fortunately, widely adopted open standards exist as well, most notably the 
* [HMAC-based One Time Password Algorithm|HMAC-based One-Time Password Algorithm] ([HOTP]) 
* [Time-based One-time Password Algorithm] ([TOTP])

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|http://blog.securism.com/2009/01/summarizing-pki-certificate-validation/|target='_blank'] - based on 2013-04-10
</pre>