How do OTP tokens work?
 From: droid <jshowalter@xxxxxxxxx>
 Date: Tue, 11 Mar 2008 20:54:18 0700 (PDT)
If this is offtopic here, please direct me to the 'right' group.
I just got a VeriSign Secure Key from PayPal, which is a one time
password (OTP) token used for two factor authentication (TFA). The
PayPal Secure Key is a sequencebased token. Here's how I think it
works:
Although it displays six digits, I don't think it generates six digit
pseudorandom numbers. Rather, I think the six digits are madeup of
two components. The first component is the next number in the pseudo
random sequence and the other is an encoding of the buttonpress.
Given the server 'knows' where in the pseudorandom sequence the key
began and how many keypresses (sequences) there have been, it 'knows'
where the key is in the sequence.
Does anyone know if I'm right about this?
There are also timebased OTP tokens. My nephew uses one at his work
place and I can't figure out how they are kept synchronized with the
login server.
If I suppose timebased tokens had perfect clocks; then given the
server
knows both where (in the pseudorandom sequence) and precisely when
(in
real time) the device was started; it would always 'know' exactly
where
the token is in the sequence. Simple.
But the clocks _can't_ be that precise. I will assume a drift of a
few
seconds in three years and that would produce unacceptable login
failure
rates.
Does anyone know how timebased tokens work?
.
 FollowUps:
 Re: How do OTP tokens work?
 From: Unruh
 Re: How do OTP tokens work?
 Next by Date: How do OTP tokens work?
 Next by thread: Re: How do OTP tokens work?
 Index(es):
Relevant Pages
