One-time password
A one-time password is one password in a set of passwords, so constructed that it is extremely difficult to calculate the next password in the set given the previous passwords.
| Contents |
Motivation
Consider a computer system at an institution where a visitor needs to use the system for a given time period or login. A one-time password system may consist of the user being presented with a one-time password on the screen, where this grants the visitor access for one day. After the given time period finishes, no more passwords are available to the visitor, and thus the access to the system is removed.
Implementation
One approach, is due to Leslie Lamport, uses a one-way function (call it f). The one-time password system works by starting with an initial seed s, then generating passwords
- f(s), f(f(s)), f(f(f(s))), ...
as many times as necessary. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted.
Now, each password is dispensed in reverse, with f(f(...f(s))...) first, to f(s).
If an intruder happens to see one one-time password, they may have access for one time period or login, but not any more. If the next password is wanted, from the previous passwords, one needs to find a way of calculating the inverse function f-1, however we have deliberately chosen f to be one-way so this is a disproportionately difficult task. If f is a cryptographic hash function, which is generally the case, it is (so far as is known) a computationally infeasible task.