A common step in deciding whether to grant a request for access to data or services in a network is to authenticate the requesting user. Authentication is the process of establishing or confirming one or more characteristics associated with a user or a request. For example, authentication may include confirming a user's identify or confirming that a request is generated by a particular device. In computer networks, authentication commonly involves the use of passwords. A password may be considered a first authentication factor because it is something the user knows that presumptively no one else knows.
Because passwords may be vulnerable to various exploits, security may be improved by adding a second authentication factor. Second authentication factors generally include something the user has (as opposed to something the user knows). Second authentication factors preferably include credentials that can be generated systematically and verified efficiently. Sources of second authentication factors can include smart cards, tokens, and other similar security devices that may be referred to generally as security tokens.
Some security tokens and other forms of authentication make use of One-Time Passwords (OTPs). An OTP can be a number or alphanumeric string that is generated once and is not reused. For example, a token can generate an OTP that is sent to an authentication service. The authentication service generates an OTP using its copy of the secret. The user is authenticated if the OTP determined by the authentication service matches the OTP provided by the user.
OTP credentials may be based on several mechanisms to vary the generated OTP. For example, event-based OTP tokens may generate a new OTP every time an event, such as a button press or other user action, occurs at the token. As another example, time-based OTP systems may generate a new OTP after the passage of a set amount of time.
Time-based one-time-password (OTP) credentials typically depend on synchronization of a clock on a device, such as an authentication token, with a clock at a authentication service where credentials generated by the device are to be validated.
These one-time-password credentials may be software-based so that they can execute on a computing device such as a desktop, laptop or a mobile phone. One potential challenge of OTP credentials, in some cases especially software time-based one-time-password credential systems, is that the clocks at the device and at the authentication service can become unsynchronized. This may occur, for example, when the time on the device is changed manually, when the device moves to a different time zone, or due to time drift within the device and/or the authentication service. When the clocks become unsynchronized, a credential generated by the device may stop working with little indication to the user that the cause of the non-working credential is that the device has generated an incorrect one-time password.