One-Time Passwords are used for security and authentication. In some implementations, a dedicated device, (e.g., an authenticator such as a token/fob), may be used to periodically generate a series of one-time passwords that a user enters to authenticate himself to a particular system. Both the dedicated device and the particular system are initialized with a “seed” value (shared secret) and the series of one-time passwords is generated based on this seed value. The seed value is kept secret and the mechanism for generating/verifying one-time passwords may also be protected so that it is difficult/impossible to timely predict a particular one-time password in the series and so that, for example, a malicious entity cannot improperly generate a correct but unauthorized one-time password. Generally, the series of one-time passwords is pseudo-random, but based on the passage of time and/or a counter. The dedicated device may be tamper-proof in that any attempt to access the internal workings of the device to learn otherwise secret information, such as the seed value, may cause the device to stop working and, in some cases, erase/destroy sensitive information on the device.
It is also possible to use software instead of a dedicated device to generate one-time passwords. A seed value (shared secret) is transferred in a secure way to a device, such as a desktop or laptop computer, a tablet, or a smartphone, which then runs an algorithm to generate the pseudo-random sequence of one-time passwords. A user with a smartphone runs a one-time password app, which provides the user with an appropriate one-time password. Although this approach may be more convenient than using dedicated hardware, such as an authenticator, it may also be less secure since security of the seed (shared secret) and of the one-time password generation mechanism relies on the security of the device. Also, for some users, adding an app/program to their device and/or using it may be inconvenient.
Accordingly, it is desirable to provide a mechanism for generating one-time passwords that does not require dedicated hardware while, at the same time, is potentially more secure and convenient than software-only approaches.