Although passwords have long been used as a tool for providing security in controlling access to computing devices and data/functions provided by remotely located computing devices, concerns have long existed concerning the use of “static” passwords that remain unchanged and are used repeatedly over an extended period of time. It has long been recognized that one-time passwords (OTPs) are, by their one-use nature, more secure. However, there have long been challenges regarding how to generate and provide them.
A longstanding solution has been to provide miniature OTP generator devices that authorized users could carry with them. Such devices often come in the shape and size of credit cards or key fobs, and feature a small alphanumeric display that shows a frequently changing OTP. The OTPs are generated by such devices using any of a variety of algorithms that often require an initial “seed” value and a constantly changing “variable” value such as the time of day or the current output of a monotonic counter. The computing device to which the generated OTPs are meant to enable access also execute the same algorithm with the same seed and variable values. As a result, the miniature OTP generator device and the computing device to which access is sought should generate identical OTPs over time, though maybe with a slight drift in their relative timings over a period of months to years.
Although the provision of such miniature OTP generator devices is effective, and are in wide use among those who work with sensitive information, the fact of needing to have a physical device in one's possession to have an OTP when needed is inconvenient. Further, users of such devices can find themselves unable to make use of services of a computing device if a miniature OTP generator device becomes damaged, is lost or simply isn't in their possession when needed. One proposed solution to this is to incorporate OTP generation functionality into personally owned computing devices of individuals, including handheld portable ones, that they are more likely to have with them on a frequent basis for a myriad of uses. Unfortunately, concerns exist over the frequently weak level of security of those personally owned computing devices such that the seed and/or variable values may be compromised. It is with respect to these and other considerations that the embodiments described herein are needed.