From RFC 4226 I understand how HOTP generates one-time passwords by incrementing

Question

From RFC 4226 I understand how HOTP generates one-time passwords by incrementing a counter and uses the 'look-ahead' window to try to resynchronise (from this counter), if the user tries a few wrong passwords.

Say the user leaves their token with their cat, which decides to generate 200 passwords while rolling around with it. This would likely desynchronise the system such that the user will not be able to login in, even with the look-ahead.

I assume the user would need assistance to reset the system, but what are the actual steps to doing this?

Additionally, what would be a good number for the parameter w? 10? 50? 100?

Explanation / Answer

The usual resynchronization method involves getting several consecutive codes from the token and then running the algorithm once with a very large look-ahead window until the set of consecutive codes are found. The number of consecutive codes needed depends on how far off the token is.

With a typical token, two codes would suffice to handle a desynch of 200. Many HOTP systems will simply ask you for a second code and fix a desynch of less than 500 codes or so by themselves.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.