Service providers and enterprises are continually challenged to deliver value and convenience to consumers and employees by providing compelling network services and advancing the underlying technologies. Many such network services depend critically upon robust, secure authentication systems and techniques for use by requesting client devices. One-time password (OTP) methods provide a common approach to user authentication, especially in enterprise contexts, and are often combined with other user verification elements to form multi-factor authentication systems. The concept of a shared secret key is central to common OTP systems. Typical OTP systems require the generation of a unique secret key for each end-user. In addition, the user's secret key must be installed on a device in the possession of the user for the purpose of generating a sequence of OTPs that are unique to the user. In order for the authentication system to perform validation of the one-time passwords entered by the users, an inventory of all the users' secret keys must be maintained on the server side, whether in the authentication system itself or within an adjunct OTP validation service. Unfortunately, the authentication system or adjunct OTP validation service could be vulnerable to attacks and hack attempts. The authentication system may be compromised in instances where the attacker is able to access the inventory of secret keys assigned to different users of requesting client devices. The authentication system would be similarly compromised if the attacker could, by any means, anticipate, deduce or predict the secret keys assigned to users; or if the attacker could intercept a user's secret key while it is in transit to the end-user during an initialization or provisioning phase.
Based on the foregoing, there is a need for an effective user authentication system that includes measures to restrict access to its inventory of authentication secret keys.