A password generator called “one-time token” is known as means for generating a code (password) that varies each time an authentication is performed. In the authentication system using the one-time token, hardware and algorithms are previously shared by an authenticating side and an authenticated side in order to authenticate the code (password) which is generated in the token and which can be used only once.
For example, each of tokens distributed to users has a clock built therein and stores a numerical value unique to the token (hereinafter, such a numerical value will be referred to as “seed”). The token effects a specific calculation (algorithm) on the basis of time data obtained from the clock and the value of the seed, and generates a token code effective only for the token at a specific time. The generated token code is updated at time intervals predetermined for each token.
An authentication-side server (authentication manager) receives an ID (such as personal identification number) of a user and the token code that have been transmitted, verifies the ID and the token code, and judges whether or not an access source is a real or legitimate user.