How do OTP tokens work?
 From: droid <jshowalter@xxxxxxxxx>
 Date: Tue, 11 Mar 2008 21:06:08 0700 (PDT)
If this is offtopic here, please direct me to the 'right' group.
I just got a VeriSign Secure Key from PayPal, which is a one time
password (OTP) token used for two factor authentication (TFA). The
PayPal Secure Key is a sequencebased token. Here's how I think it
works:
Although it displays six digits, I don't think it generates six digit
pseudorandom numbers. Rather, I think the six digits are madeup of
two components. The first component is the next number in the pseudo
random sequence and the other is an encoding of the number of button
presses there have been.
Given the server 'knows' where in the pseudorandom sequence the key
began and how many keypresses (sequences) there have been, it 'knows'
where the key is in the sequence.
Does anyone know if I'm right about this?
There are also timebased OTP tokens. My nephew uses one at his work
place and I can't figure out how they are kept synchronized with the
login server.
If I suppose timebased tokens had perfect clocks; then given the
server knows both where (in the pseudorandom sequence) and precisely
when (in real time) the device was started; it would always 'know'
exactly where the token is in the sequence. Simple.
But the clocks _can't_ be that precise. I will assume a drift of a
few seconds in three years and that would produce unacceptable login
failure rates.
Does anyone know how timebased tokens work?
.
 FollowUps:
 Re: How do OTP tokens work?
 From: Nick Owen
 Re: How do OTP tokens work?
 Prev by Date: How do OTP tokens work?
 Next by Date: Re: How do OTP tokens work?
 Previous by thread: Re: How do OTP tokens work?
 Next by thread: Re: How do OTP tokens work?
 Index(es):
Relevant Pages
