Various embodiments described herein relate to computer systems, devices, methods and program products and, more particularly, to passwords that are used for user authentication or access approval to gain access to a resource.
A One-Time Password (OTP) is a password that is valid for only one login transaction or session. One-time passwords may be used to reduce various shortcomings that are associated with traditional static passwords. For example, in contrast to static passwords, one-time passwords are not vulnerable to replay attacks. Thus, when a potential intruder records a one-time password that was already used to log into a session or to conduct a transaction, the intruder will not be able to abuse it, since it will no longer be valid.
One-time passwords may be generated using algorithms that typically make use of pseudorandomness or randomness. Moreover, a one-time password may be used independently or may be used as part of an online login process in which a userid and static password (also referred to as a PIN) are provided.
Various technologies may be used to deliver one-time passwords. One common technology used for the delivery of one-time passwords is text messaging. Text messaging is a ubiquitous communication channel, being directly available to nearly all mobile user devices, and through text-to-speech conversion to any mobile or landline telephone. Automated telephone calls also may be used to deliver a one-time password. Mobile phones also may be used to deliver one-time passwords, because a large customer-base already owns a mobile phone for purposes other than receiving one-time passwords. One-time passwords may also be delivered using proprietary tokens, Web-based Authentication-as-a-Service providers, and may even be provided via hard copy.