# How do OTP tokens work?

*From*: droid <jshowalter@xxxxxxxxx>*Date*: Tue, 11 Mar 2008 20:54:18 -0700 (PDT)

If this is off-topic here, please direct me to the 'right' group.

I just got a VeriSign Secure Key from PayPal, which is a one time

password (OTP) token used for two factor authentication (TFA). The

PayPal Secure Key is a sequence-based token. Here's how I think it

works:

Although it displays six digits, I don't think it generates six digit

pseudo-random numbers. Rather, I think the six digits are made-up of

two components. The first component is the next number in the pseudo-

random sequence and the other is an encoding of the button-press.

Given the server 'knows' where in the pseudo-random sequence the key

began and how many key-presses (sequences) there have been, it 'knows'

where the key is in the sequence.

Does anyone know if I'm right about this?

There are also time-based OTP tokens. My nephew uses one at his work

place and I can't figure out how they are kept synchronized with the

login server.

If I suppose time-based tokens had perfect clocks; then given the

server

knows both where (in the pseudo-random sequence) and precisely when

(in

real time) the device was started; it would always 'know' exactly

where

the token is in the sequence. Simple.

But the clocks _can't_ be that precise. I will assume a drift of a

few

seconds in three years and that would produce unacceptable login

failure

rates.

Does anyone know how time-based tokens work?

.

**Follow-Ups**:**Re: How do OTP tokens work?***From:*Unruh

- Next by Date:
**How do OTP tokens work?** - Next by thread:
**Re: How do OTP tokens work?** - Index(es):