Otp Generation Of The Key
A one-time password (OTP), also known as one-time pin or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).
Jan 25, 2017 The following code explains how to generate such Passwords and OTP within no time and what code we can use if in case we need to do so. Method 1: Java program explaining the generation of. Jul 02, 2018 OTP or one-time password is a fast and effective way to verify the mobile number of the user. Generally, OTP is sent to the user’s mobile number via SMS. The user needs to submit the verification code to verify their mobile number. In this tutorial, we will show you how to implement the one-time password (OTP) verification process via SMS. For an explanation of fields, please see the OTP Key URI Format page. This QR code generator does not transmit any information. Don't believe us? Read the code! It does, however, fetch the image at the URL specified. It might be possible for a malicious web server to use this request for tracking. Algorithm 1: Conventional OTP Generation Algorithm. Note that the weakness of the OTP mechanism lies on the channel used to send the OTP and the security of the device to which the OTP is send. It will be advisable to secure the device with some biometric credentials making it totally safe. 4 Proposed RSA type OTP Generating Algorithm.
The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid. A second major advantage is that a user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the password for one of these is gained by an attacker. A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further.
The key may be configured as a symmetric key, a secret, a seed, and a controlled datum. The cardstring may be an EMV cardstring; and the key may be a UDKA or UDKB. The cardstring may be an OTP cardstring, and the key may be a secret configurable to generate one of a HOTP, a TOTP, and a counter-based OTP. OneLogin Protect’s OTP solution is based on RFC 6238 — A Time-Based One-Time Password Algorithm (TOTP), which was designed by VeriSign, Symantec, and others. The RFC describes how two endpoints with synchronized clocks can exchange a secure one-time password based on the HMAC algorithm. A one-time password token (OTP token) is a security hardware device or software program that is capable of producing a single-use password or PIN passcode. One-time password tokens are often used as a part of two-factor and multifactor authentication.
OTPs have been discussed as a possible replacement for, as well as enhancer to, traditional passwords. On the downside, OTPs are difficult for human beings to memorize. Therefore, they require additional technology to work.[clarification needed]
How OTPs are generated and distributed[edit]
OTP generation algorithms typically make use of pseudorandomness or randomness, making prediction of successor OTPs by an attacker difficult, and also cryptographic hash functions, which can be used to derive a value but are hard to reverse and therefore difficult for an attacker to obtain the data that was used for the hash. This is necessary because otherwise it would be easy to predict future OTPs by observing previous ones. Concrete OTP algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below:
- Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time)
- Using a mathematical algorithm to generate a new password based on the previous password (OTPs are effectively a chain and must be used in a predefined order).
- Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.
There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging. Finally, in some systems, OTPs are printed on paper that the user is required to carry.
Methods of generating the OTP[edit]
Time-synchronized[edit]
A time-synchronized OTP is usually related to a piece of hardware called a security token (e.g., each user is given a personal token that generates a one-time password). It might look like a small calculator or a keychain charm, with an LCD that shows a number that changes occasionally. Inside the token is an accurate clock that has been synchronized with the clock on the proprietary authentication server. On these OTP systems, time is an important part of the password algorithm, since the generation of new passwords is based on the current time rather than, or in addition to, the previous password or a secret key. This token may be a proprietary device, or a mobile phone or similar mobile device which runs software that is proprietary, freeware, or open-source. An example of time-synchronized OTP standard is Time-based One-time Password Algorithm (TOTP). Some applications can be used to keep time-synchronized OTP, like Google Authenticator and password manager.
All of the methods of delivering the OTP below may use time-synchronization instead of algorithms.
Mathematical algorithms[edit]
Each new OTP may be created from the past OTPs used. An example of this type of algorithm, credited to Leslie Lamport, uses a one-way function (call it f). This one-time password system works as follows:
- A seed (starting value) s is chosen.
- A hash functionf(s) is applied repeatedly (for example, 1000 times) to the seed, giving a value of: f(f(f( . f(s) .))). This value, which we will call f1000(s) is stored on the target system.
- The user's first login uses a password p derived by applying f 999 times to the seed, that is, f999(s). The target system can authenticate that this is the correct password, because f(p) is f1000(s), which is the value stored. The value stored is then replaced by p and the user is allowed to log in.
- The next login, must be accompanied by f998(s). Again, this can be validated because hashing it gives f999(s) which is p, the value stored after the previous login. Again, the new value replaces p and the user is authenticated.
- This can be repeated another 997 times, each time the password will be f applied one fewer times, and is validated by checking that when hashed, it gives the value stored during the previous login. Hash functions are designed to be extremely hard to reverse, therefore an attacker would need to know the initial seed s to calculate the possible passwords, while the computer system can confirm the password on any given occasion is valid by checking that, when hashed, it gives the value previously used for login. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted.
To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse functionf−1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is assumed to be a computationally intractable task. An intruder who happens to see a one-time password may have access for one time period or login, but it becomes useless once that period expires. The S/KEY one-time password system and its derivative OTP are based on Lamport's scheme.
In some mathematical algorithm schemes, it is possible for the user to provide the server with a static key for use as an encryption key, by only sending a one-time password.[1]
The use of challenge-response one-time passwords requires a user to provide a response to a challenge. For example, this can be done by inputting the value that the token has generated into the token itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually[citation needed] involve the previous one-time password; that is, usually this or another algorithm is used, rather than using both algorithms.
The methods of delivering the OTP which are token-based may use either of these types of algorithm instead of time-synchronization.
Methods of delivering the OTP[edit]
Phones[edit]
A common technology used for the delivery of OTPs is text messaging. Because text messaging is a ubiquitous communication channel, being directly available in nearly all mobile handsets and, through text-to-speech conversion, to any mobile or landline telephone, text messaging has a great potential to reach all consumers with a low total cost to implement. OTP over text messaging may be encrypted using an A5/x standard, which several hacking groups report can be successfully decrypted within minutes or seconds.[2][3][4][5] Additionally, security flaws in the SS7 routing protocol can and have been used to redirect the associated text messages to attackers; in 2017, several O2 customers in Germany were breached in this manner in order to gain access to their mobile banking accounts. In July 2016, the U.S. NIST issued a draft of a special publication with guidance on authentication practices, which discourages the use of SMS as a method of implementing out-of-band two-factor authentication, due to the ability for SMS to be intercepted at scale.[6][7][8] Text messages are also vulnerable to SIM swap scams—in which an attacker fraudulently transfers a victim's phone number to their own SIM card, which can then be used to gain access to messages being sent to it.[9][10]
On smartphones, one-time passwords can also be delivered directly through mobile apps, including dedicated authentication apps such as Authy and Google Authenticator, or within a service's existing app, such as in the case of Steam. These systems do not share the same security vulnerabilities as SMS, and do not necessarily require a connection to a mobile network to use.[11][8][12]
Proprietary tokens[edit]
RSA Security's SecurID is one example of a time-synchronization type of token, along with HID Global's solutions. Like all tokens, these may be lost, damaged, or stolen; additionally there is an inconvenience as batteries die, especially for tokens without a recharging facility or with a non-replaceable battery. A variant of the proprietary token was proposed by RSA in 2006 and was described as 'ubiquitous authentication', in which RSA would partner with manufacturers to add physical SecurID chips to devices such as mobile phones.
Recently, it has become possible to take the electronic components associated with regular keyfob OTP tokens and embed them in a credit card form factor. However, the thinness of the cards, at 0.79mm to 0.84mm thick, prevents standard components or batteries from being used. Special polymer-based batteries must be used which have a much lower battery life than coin (button) cells. Semiconductor components must not only be very flat but must minimise power used in standby and when operating.
Yubico offers a small USB token with an embedded chip that creates an OTP when a key is pressed and simulates a keyboard to facilitate easily entering a long password.[13] Since it is a USB device it avoids the inconvenience of battery replacement.
A new version of this technology has been developed that embeds a keypad into a payment card of standard size and thickness. The card has an embedded keypad, display, microprocessor and proximity chip.
Web-based methods[edit]
Authentication-as-a-service providers offer various web-based methods for delivering one-time passwords without the need for tokens. One such method relies on the user’s ability to recognize pre-chosen categories from a randomly generated grid of pictures. When first registering on a website, the user chooses several secret categories of things; such as dogs, cars, boats and flowers. Each time the user logs into the website they are presented with a randomly generated grid of pictures. Each picture in the grid has a randomly generated alphanumeric character overlaid on it. The user looks for the pictures that fit their pre-chosen categories and enters the associated alphanumeric characters to form a one-time access code.[14][15]
Hardcopy otp[1][edit]
In some countries' online banking, the bank sends to the user a numbered list of OTPs that is printed on paper. Other banks send plastic cards with actual OTPs obscured by a layer that the user has to scratch off to reveal a numbered OTP. For every online transaction, the user is required to enter a specific OTP from that list. Some systems ask for the numbered OTPs sequentially, others pseudorandomly choose an OTP to be entered. In Germany and many other countries like Austria and Brazil,[16] those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs').
Comparison of technologies[edit]
Comparison of OTP implementations[edit]
The cheapest OTP solutions are those that deliver OTPs on paper, and those that generate OTPs on an existing device, without the costs associated with (re-)issuing proprietary electronic security tokens and SMS messaging.
For systems that rely on electronic tokens, algorithm-based OTP generators must cope with the situation where a token drifts out-of-sync with its server if the system requires the OTP to be entered by a deadline. This leads to an additional development cost. Windows 7 home premium product key generator download. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift). Whether or not OTPs are time-synchronized is basically irrelevant for the degree of vulnerability, but it avoids a need to re-enter passwords if the server is expecting the last or next code that the token should be having because the server and token have drifted out-of-sync.
Use of an existing mobile device avoids the need to obtain and carry an additional OTP generator. The battery may be recharged; as of 2011 most small card devices do not have rechargeable, or indeed replaceable, batteries. However, most proprietary tokens have tamper-proof features.
OTPs versus other methods of securing data[edit]
One-time passwords are vulnerable to social engineering attacks in which phishers steal OTPs by tricking customers into providing one or more OTPs that they used in the past. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords.[17] In 2006 this type of attack was used on customers of a US bank.[18] Even time-synchronized OTPs are vulnerable to phishing, by two methods: The password may be used as quickly by the attacker as the legitimate user, if the attacker can get the OTP in plaintext quickly enough. The other type of attack—which may be defeated by OTP systems implementing the hash chain as discussed above—is for the phisher to use the information gained (past OTP codes which are no longer valid) by this social-engineering method to predict what OTP codes will be used in the future. For example, an OTP password-generator that is pseudo-random rather than truly random might or might not be able to be compromised, because pseudo-random numbers are often predictable once one has the past OTP codes. An OTP system can only use truly random OTPs if the OTP is generated by the authenticator and transmitted (presumably out-of-band) to the user; otherwise, the OTP must be independently generated by each party, necessitating a repeatable, and therefore merely pseudo-random, algorithm.
Although OTPs are in some ways more secure than a static memorized password, users of OTP systems are still vulnerable to man-in-the-middle attacks. OTPs should therefore not be disclosed to any third parties, and using an OTP as one layer in layered security is safer than using OTP alone; one way to implement layered security is to use an OTP in combination with a password that is memorized by the user (and never transmitted to the user, as OTPs often are). An advantage to using layered security is that a single sign-on combined with one master password or password manager becomes safer than using only 1 layer of security during the sign-on, and thus the inconvenience of password fatigue is avoided if one usually has long sessions with many passwords that would need to be entered mid-session (to open different documents, websites, and applications); however, the disadvantage of using many forms of security all at once during a single sign-on is that one has the inconvenience of more security precautions during every login—even if one is logging in only for a brief usage of the computer to access information or an application that doesn't require as much security as some other top-secret items that computer is used for. See also Related technologies, below.
Related technologies[edit]
More often than not, one-time passwords are an embodiment of two-factor authentication (2FA or T-FA). 2FA is a form of layered security where it is unlikely that both layers would be compromised by someone using only one type of attack.
Some single sign-on solutions make use of one-time passwords. Microsoft office 2011 key generator.
One-time password technology is often used with a security token.
Standardization[edit]
Many OTP technologies are patented. This makes standardization in this area more difficult, as each company tries to push its own technology. Standards do, however, exist – for example, RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP) and RFC 6238 (TOTP).
See also[edit]
- Initiative For Open Authentication (OATH)
- KYPS (OTP system based on one-time pads)
- One-time pad (OTP)
- Time-based One-time Password algorithm (TOTP)
References[edit]
- ^ abEOTP – Static Key Transfer. Defuse.ca (2012-07-13). Retrieved on 2012-12-21.
- ^Barkan, Elad; Eli Biham; Nathan Keller (2003). 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication': 600–16.Cite journal requires
journal=
(help) - ^Barkan, Elad; Eli Biham; Nathan Keller. 'Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication by Barkan and Biham of Technion (Full Version)'(PDF).
- ^Gueneysu, Tim; Timo Kasper; Martin Novotný; Christof Paar; Andy Rupp (2008). 'Cryptanalysis with COPACOBANA'(PDF). IEEE Transactions on Computers. 57 (11): 1498–1513. doi:10.1109/TC.2008.80.
- ^Nohl, Karsten; Chris Paget (2009-12-27). GSM: SRSLY?. 26th Chaos Communication Congress (26C3). Retrieved 2009-12-30.
- ^Fontana, John. 'NIST blog clarifies SMS deprecation in wake of media tailspin'. ZDNet. Retrieved 2017-07-14.
- ^Meyer, David. 'Time Is Running Out For SMS-Based Login Security Codes'. Fortune. Retrieved 2017-07-14.
- ^ abBrandom, Russell (2017-07-10). 'Two-factor authentication is a mess'. The Verge. Retrieved 2017-07-14.
- ^Brandom, Russell (2019-08-31). 'The frighteningly simple technique that hijacked Jack Dorsey's Twitter account'. The Verge. Retrieved 2020-01-30.
- ^Tims, Anna (2015-09-26). ''Sim swap' gives fraudsters access-all-areas via your mobile phone'. The Guardian. ISSN0261-3077. Retrieved 2020-01-30.
- ^Garun, Natt (2017-06-17). 'How to set up two-factor authentication on all your online accounts'. The Verge. Retrieved 2017-07-14.
- ^McWhertor, Michael (April 15, 2015). 'Valve adds two-factor login authentication to Steam mobile app'. Polygon. Retrieved September 8, 2015.
- ^'Yubico AB'. Bloomberg Businessweek. Retrieved July 13, 2011.
- ^Ericka Chickowski (2010-11-03). 'Images Could Change the Authentication Picture'. Dark Reading.
- ^'Confident Technologies Delivers Image-Based, Multifactor Authentication to Strengthen Passwords on Public-Facing Websites'. 2010-10-28.
- ^BRB – Banco de Brasília – BRB Banknet. Portal.brb.com.br. Retrieved on 2012-12-21.
- ^The Register article. The Register article (2005-10-12). Retrieved on 2012-12-21.
- ^Washington Post Security Blog. Blog.washingtonpost.com. Retrieved on 2012-12-21.
HMAC-based One-time Password algorithm (HOTP) is a one-time password (OTP) algorithm based on hash-based message authentication codes (HMAC). It is a cornerstone of the Initiative for Open Authentication (OATH).
HOTP was published as an informational IETFRFC 4226 in December 2005, documenting the algorithm along with a Java implementation. Since then, the algorithm has been adopted by many companies worldwide (see below). The HOTP algorithm is a freely available open standard.
Algorithm[edit]
The HOTP algorithm provides a method of authentication by symmetric generation of human-readable passwords, or values, each used for only one authentication attempt. The one-time property leads directly from the single use of each counter value.
Parties intending to use HOTP must establish some parameters; typically these are specified by the authenticator, and either accepted or not by the authenticated:
- A cryptographic hash method, H (default is SHA-1)
- A secret key, K, which is an arbitrary byte string, and must remain private
- A HOTPvalue length, d (6–10, default is 6, and 6–8 is recommended)
Both parties compute the HOTPvalue, then the authenticator checks its locally-generated value against the value supplied by the authenticated.
The authenticator and the authenticated increment the counter independently of each other, where the latter may increase ahead of the former, thus a resynchronisation protocol is wise. RFC4226 doesn't actually require any such, but does make a recommendation. This simply has the authenticator repeatedly try verification ahead of their counter through a window of size, s. The authenticator's counter continues forward of the value at which verification succeeds, and requires no actions by the authenticated.
The recommendation is made that persistent throttling of HOTPvalue verification take place, to address their relatively small size and thus vulnerability to brute force attacks. It is suggested that verification be locked out after a small number of failed attempts, or that each failed attempt attracts an additional (linearly-increasing) delay.
6-digit codes are commonly provided by proprietary hardware tokens from a number of vendors informing the default value of d. Truncation extracts 31 bits or ≈ 9.3 decimal digits, meaning, at most, d can be 10, with the 10th digit providing less extra variation, taking values of 0, 1, and 2 (i.e., 0.3 digits).
Bidirectional authentication[edit]
After verification, the authenticator can authenticate itself simply by generating the next HOTPvalue, returning it, and then the authenticated can generate their own HOTPvalue to verify it. Note that counters are guaranteed to be synchronised at this point in the process.
HOTPvalue[edit]
The HOTPvalue is the human-readable design output, a d-digit decimal number (without omission of leading 0s):
- HOTPvalue = HOTP(K, C) mod 10d
That is, the value is the d least significant base-10 digits of HOTP.
HOTP is a truncation of the hash-based message authentication code (HMAC) of the counter, C (under the key, K, and hash function, H).
- HOTP(K, C) = truncate(HMACH(K, C))
Truncation first takes the 4 least significant bits of the MAC and uses them as an offset, i.
- truncate(MAC) = extract31(MAC, MAC[(19 × 8) + 4:(19 × 8) + 7] × 8)
That index i is used to select 31 bits from MAC, starting at bit i + 1.
- extract31(MAC, i) = MAC[i + 1:i + (4 × 8) − 1]
Note that 31 bits is a single bit short of a 4-byte word. Thus, the value can be placed inside such a word without using the sign bit (the most significant bit). This is done to definitely avoid doing modular arithmetic on negative numbers, as this has many differing definitions and implementations.[1]
Tokens[edit]
Both hardware and software tokens are available from various vendors, for some of them see references below. Hardware tokens implementing OATH HOTP tend to be significantly cheaper than their competitors based on proprietary algorithms.[2] As of 2010, OATH HOTP hardware tokens can be purchased for a marginal price.[3] Some products can be used for strong passwords as well as OATH HOTP.[4]
Software tokens are available for (nearly) all major mobile/smartphone platforms (J2ME,[5]Android,[6][7]iPhone,[8]BlackBerry,[9]Maemo,[10]macOS,[11] and Windows Mobile[9]).
Reception[edit]
Although the reception from some of the computer press has been negative during 2004 and 2005,[12][13][14] after IETF adopted HOTP as RFC 4226 in December 2005, various vendors started to produce HOTP compatible tokens and/or whole authentication solutions.
According to a paper on strong authentication (entitled 'Road Map: Replacing Passwords with OTP Authentication') published by Burton Group (a division of Gartner, Inc.) in 2010, 'Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time.'[2]https://renewliquid347.weebly.com/blog/auto-click-mac-free-download.
See also[edit]
References[edit]
- ^Frank, Hoornaert; David, Naccache; Mihir, Bellare; Ohad, Ranen. 'HOTP: An HMAC-Based One-Time Password Algorithm'. tools.ietf.org.
- ^ abDiodati, Mark (2010). 'Road Map: Replacing Passwords with OTP Authentication'. Burton Group.
Gartner's expectation is that the hardware OTP form factor will continue to enjoy modest growth while smartphone OTPs will grow and become the default hardware platform over time. . If the organization does not need the extensive platform support, then OATH-based technology is likely a more cost-effective choice.
- ^'Security Authentication Tokens - Entrust'. Entrust. 2011.
Priced at $5 per token, the Entrust IdentityGuard Mini Token demonstrates that secure, reliable hardware authentication can be had at an attractive price. . OATH and DES/3DES algorithm support
- ^'Password sCrib Tokens - Smart Crib'. Smart Crib. 2013.
You can get a token typing 4 updatable passwords and 8 digit OATH HOTP codes for the price of £35, no strings attached.
- ^'DS3 Launches OathToken Midlet Application'. Data Security Systems Solutions. 2006-02-24. Archived from the original on 29 December 2013.
Singapore, Friday, 24 February 2006 - Data Security Systems Solutions is pleased to announce the launch of OathToken Midlet application, an extension of DS3 flagship product - Authentication Server.
- ^'Android Token'. diamondz. AT googlemail.com (not a full address, no better info on author could be found). 2009.
Android Token is a project to create OATH software tokens for the Android platform. Turning a mobile phone into a One Time Password (OTP) generation device which can be used in the place of hardware tokens. . The project supports both HOTP (Event Tokens) and TOTP (Time Tokens) specifications. . Code license: GNU GPL v3
- ^'StrongAuth'. StrongAuth. 2010. Archived from the original on 2010-05-18.
Time-based one-time passcode generator based on HOTP (RFC 4226).
- ^Cobbs, Archie L. (2010). 'OATH Token'. Archie L. Cobbs.
OATH Token is a free and open-source software token for two-factor authentication on the iPhone. OATH Token implements the RFC 4226 HOTP/OATH algorithm standard and is not tied to any proprietary server software.
- ^ ab'ActivIdentity Soft Tokens'. ActivIdentity. 2010. Archived from the original on 2010-09-17.
All ActivIdentity Soft Tokens support the Initiative For Open Authentication (OATH) HMAC-Based One-Time Password (HOTP) algorithm. . ActivIdentity Mobile Soft Tokens are available on leading handset operating systems, including BlackBerry®, Apple® iPhone®, Windows Mobile, and many other Java 2 Platform, Micro Edition (J2ME) enabled devices.
- ^Whitbeck, Sean (2011). 'OTP Generator for N900'. Sean Whitbeck.
OTP Generator for Maemo on the Nokia N900. Supports OATH tokens (HOTP,TOTP) as well as the Mobile-OTP algorithm.
- ^'SecuriToken'. Feel Good Software. 2011. Archived from the original on 2012-04-25.
SecuriToken is an RFC compliant application to create and manage multiple software tokens for the OS X platform. Turning your Mac into a One Time Password (OTP) generation device which can be used in the place of hardware tokens.
- ^Kearns, Dave (2004-12-06). 'Digging deeper into OATH doesn't look so good'. Network World.
It may be that OATH will amount to something someday, but so far, it appears to be a stalking horse for VeriSign and that's not a bandwagon we should thoughtlessly jump on.
- ^Willoughby, Mark (2005-03-21). 'No agreement on Oath authentication'. Computerworld.
- ^Kaliski, Burt (2005-05-19). 'Algorithm agility and OATH'. Computerworld.
Nevertheless, there is still good reason to question whether HOTP is suitable as a standard algorithm for OTP generation, and, more generally, whether such a standard algorithm is even necessary at all.