An authentication device such as a token can generate a One Time Password (OTP) based upon an embedded secret called a credential seed. The token can process the credential seed with other factors such as a timestamp to generate a unique OTP that is used once to authenticate the token holder.
When a token generates an OTP, it is sent with the token identifier to an authentication service provider. For example, an OTP and identifier can be sent from a customer to a bank to authenticate the customer for online banking. The bank can send the identifier, OTP and other factors (such as a timestamp) to a third party authentication service for authentication. The third party looks up the credential seed based upon the token identifier, computes its own version of the OTP and compares it to the OTP received form the bank. If the third party's version of the OTP corresponds to the one received from the bank, the third party sends a message to the bank indicating a successful authentication. If not, an authentication failure message is sent to the bank.
A token manufacturer generally provisions its tokens with credential seeds by preloading each token with one or more unique credential seeds at its time of manufacture. It sends copies of the credential seeds along with their corresponding token identifiers to the party hosting authentication service. The credential seeds and identifiers are indexed and stored by the authentication service for lookup when needed. When large numbers of credential seeds that may be from different manufacturers are stored, it requires a significant amount of memory and resources to index, store and look up a particular credential seed. When credential seed files become larger, it introduces undesirable latency into the lookup and OTP verification process. It would be desirable to keep credential seed lookup tables that are used for real-time or near real-time authentication of OTPs as small and efficient as possible so as to reduce the amount of memory required to store them and improve the timeliness with which OTPs may be looked up and verified.
Many of the credential seeds sent to the authentication service are dormant because many of the tokens with which they are associated are pre-active, e.g., they have not yet been issued to users. Thus, many of the credential seed records that are indexed and stored in lookup tables used for live OTP authentication are not relevant to a token lookup operation at the time an OTP is received for verification by the service. The large number of pre-active credential seeds mixed with the active seeds can slow the lookup of active seeds in response to requests for real-time or near real-time authentication of OTPs.
In addition to the lookup performance challenge, a relational database storage that is typically used to store credential seeds may also have capacity limitations.
What is needed is a more efficient way to store credential seeds to facilitate lookups and speed the authentication process for OTPs while handling large volume of credential seeds.