How do OTP tokens work?
- From: droid <jshowalter@xxxxxxxxx>
- Date: Tue, 11 Mar 2008 21:06:08 -0700 (PDT)
If this is off-topic here, please direct me to the 'right' group.
I just got a VeriSign Secure Key from PayPal, which is a one time
password (OTP) token used for two factor authentication (TFA). The
PayPal Secure Key is a sequence-based token. Here's how I think it
works:
Although it displays six digits, I don't think it generates six digit
pseudo-random numbers. Rather, I think the six digits are made-up of
two components. The first component is the next number in the pseudo-
random sequence and the other is an encoding of the number of button
presses there have been.
Given the server 'knows' where in the pseudo-random sequence the key
began and how many key-presses (sequences) there have been, it 'knows'
where the key is in the sequence.
Does anyone know if I'm right about this?
There are also time-based OTP tokens. My nephew uses one at his work
place and I can't figure out how they are kept synchronized with the
login server.
If I suppose time-based tokens had perfect clocks; then given the
server knows both where (in the pseudo-random sequence) and precisely
when (in real time) the device was started; it would always 'know'
exactly where the token is in the sequence. Simple.
But the clocks _can't_ be that precise. I will assume a drift of a
few seconds in three years and that would produce unacceptable login
failure rates.
Does anyone know how time-based tokens work?
.
- Follow-Ups:
- Re: How do OTP tokens work?
- From: Nick Owen
- Re: How do OTP tokens work?
- Prev by Date: How do OTP tokens work?
- Next by Date: Re: How do OTP tokens work?
- Previous by thread: Re: How do OTP tokens work?
- Next by thread: Re: How do OTP tokens work?
- Index(es):
Relevant Pages
|
