One-time authentication tokens are used to realize two-factor authentication according to which a traditional passcode-based user-authentication method (using a known secret) is augmented with a one-time passcode that is produced by an authentication token (i.e., a secret produced by something you possess). The two factors collectively provide a stronger authentication method.
Time-based tokens typically change their state in predetermined, fixed, and publicly known time intervals (e.g., every T seconds). Thus, an attacker can optimize a success probability for certain types of state-inference attacks by scheduling the attack at the beginning of the passcode generation epoch. A need therefore exists for a randomized mechanism for implementing internal state transitions of such one-time authentication tokens in a manner that tolerates such inference attacks.