One-time authentication tokens produce a series of unpredictable one-time passcodes (OTPs) as second authentication factors for the authentication of users to remote servers. One-time authentication tokens implement the general solution concept of second factor authentication, thus offering stronger user authentication. Passcodes are typically generated in an unpredictable manner by extracting pseudorandomness from an initial seed, that is stored at the token and shared with the server. Thus, the security of one-time authentication tokens is based on the secrecy and protection of the token's seed, in particular, against an attacker that directly compromises the server, either ephemerally to get the secret seed or permanently to tamper with the verification process.
Split-server verification employs at least two verification servers, each keeping a distinct secret state, as well as distributed cryptography to implement a joint user-authentication protocol that tolerates certain compromise of one or more servers. See, for example, U.S. Pat. No. 7,725,730. Similar split-server OTP verification protocols have been proposed to make one-time authentication tokens resilient to certain type of server-side attacks. U.S. patent application Ser. No. 13/404,737, filed Feb. 24, 2012, entitled “Method and Apparatus for Authenticating a User Using Multi-Server One-Time Passcode Verification,” (now U.S. Pat. No. 9,118,661), employs cryptography, and U.S. patent application Ser. No. 13/795,801, filed Mar. 12, 2013, entitled “Distributed Cryptography Using Distinct Value Sets Each Comprising at Least One Obscured Secret Value,” does not support an auxiliary channel (for a discussion of auxiliary channels, see, for example, U.S. patent application Ser. No. 13/404,780, filed Feb. 24, 2012, entitled “Method and Apparatus for Embedding Auxiliary Information in One-Time Passcode Authentication Tokens” (now U.S. Pat. No. 8,984,780)).
A need therefore exists for efficient multi-server OTP verification protocols that are compatible with the existence of an auxiliary channel, while providing high levels of server-side security.