One Time Password (OTP) devices and related algorithm for generating OTPs will normally use some means of synchronization mechanism with an OTP server. This implies that if an OTP has been accepted by the server it cannot be reused. Typically the OTP server accepts a certain range of OTPs from the One Time Password (OTP) devices (e.g.) 10 succeeding OTPs. If the OTP is outside of this range the One Time Password (OTP) device hereinafter the device will be locked. Synchronization in this respect is to be understood as a mechanism for the server to be updated with respect to status of key exchange for authentication of a client and/or the device.
Within the area of secure authentication and cryptography there is a number of papers and drafts disclosing protocols adapted for such use, examples of such papers and drafts are given at the end of the description under the sections for references together with examples of prior art of more general character within the same area.
The problem with the existing solutions is that an increasing OTP window decreases the security in the authentication mechanism. That is, the higher the number of succeeding OTP's that a client may submit without being locked out the lower is the security due for example to hackers, hence an increasing OTP window is undesirable. However, the OTP window cannot be too small since this effectively will make the mechanism inconvenient as the OTP device may get out of synchronization with the server when OTPs are generated that are not sent to the server. Go3 and digipass are examples of devices that generate a sequence of OTPs and where the OTP server synchronizes when the OTPs are submitted.
An object of the present invention is to provide a means for secure authentication without the conflicting problems referred to above with respect to “lack of synchronisation/lack of possibilities for keying errors” vs. security.