I\'m looking for the typical ways to generate a One Time Password. I know about

Question

I'm looking for the typical ways to generate a One Time Password. I know about the HOTP and TOPT. But, in my case, the problem is that the "server" only has a display as interface and the otp-generator-app should work on one or more mobile devices.

Currently I am thinking about using a secure Pseudo Random Number Generator. The generated number will be displayed on the "server". Then the user has to enter this number into the mobile devices. The generator uses the input random number and a pre-shared secret, links them together, and hashes them several times. The result is the OTP.

Is there a similarly standardized way to generate an OTP?

Explanation / Answer

Think about this implementation (Disclaimer: this is basic):

Server displays a Random Number that changes every 30 seconds (R)
Mobile device has a unique device ID (DID)
Server maintains a record of authorized DIDs
Both server and mobile device share a secret (S)

When the mobile device wants to log in, it requests the active R from the server. The mobile device then calculates hash(S + DID + R) and sends the result to the server along with the DID. The server uses the same algorithm, and if it matches, then you have some level of assurance that the authorized device is the one now actively logging in.

Couple this with a typical username/password credential that is tied to the DID and you have a VERY basic 2FA. The downside is the necessity to maintain and communicate S before this process begins.

This process is the basic function of OTP generation, but there are more secure means of implementing it if you look. Remember the rule:

"Don't Roll Your Own"

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.