Embodiments of the present invention relate generally to methods and systems for utilizing one-time passwords and more particularly to methods and systems for providing and using extensive lists of pre-generated one-time passwords.
Authentication using a static password has been a staple of computer and other interactions between (typically two) “principals” for decades, if not millennia. Static passwords are initialized, used multiple times, and changed occasionally. In recent decades, One-Time Passwords (OTPs) have been used. To utilize an OTP, two principals are initialized with the same seed value and an algorithm for generating a sequence of passwords, each password different and pseudo-random. Input to the algorithm, in addition to the seed, can be a counter or a time value, resulting in “event-based” or “time-based” OTPs. The identical sequence of OTPs is generated in synchrony by each principal and thus can be used for password authentication, where a given OTP is used at most once. OTPs have the advantage over static passwords that if intercepted by an attacker, they cannot be used by the attacker except possibly once.
OTPs can be used in a variety of settings. A principal needing to access a protected resource via a first channel may be sent an OTP via a second channel, which the principal must then transmit via the first channel. Another example occurs within a computer case: after a computer is booted up, a hard drive may send an OTP to be stored in the BIOS. Next time the computer is started, the BIOS must present the OTP to the hard drive before the hard drive will allow access. However, these approaches have shortcomings. For example, these methods might require non-trivial processing by both principals that may not be available on all devices, or rely on one or a few OTPs stored locally that may be subject to loss or corruption. Also, in order to support OTP generation on multiple platforms, vendors must maintain multiple platform-dependent implementations. Furthermore, cryptographic generation algorithms are in principle vulnerable to attack by an adversary with unlimited resources. Moreover, no currently known algorithm (HOTP, TOTP, 3DES, AES, SHA family, RSA, etc.) has been proved to be secure against cryptanalysis, and hence any of them may potentially be broken more easily than by a brute-force attack. Hence there is a need in the art for improved methods and systems for utilizing one-time passwords.