This specification relates to authorizing actions to be performed by an online service provider.
Online service providers provide various types of services, for example, email hosting, social networking, and shopping. Many online service providers require users to authenticate themselves to a server by providing a username and a password before the server provides services. The level of security provided by requiring a username and password can be adequate for certain lower-risk or routine actions; however, for some higher-risk actions, online service providers require a greater level of security. For example, for an email provider, actions such as routine checking and sending email can be protected by requiring a username and password, and actions such as establishing a forwarding filter that will block or send large amounts of mail can be protected by another security mechanism.
One way to provide a greater level of security is to require the user to provide a one-time password. A one-time password is a password that authorizes only a single session, series of actions, or period of time. A one-time password provides a greater level of security because, even if the one-time password is intercepted, the one-time password cannot be used again, e.g., in a replay attack.