Open Access Open Access  Restricted Access Subscription or Fee Access

One-Time Password Authentication Techniques Survey

M. Ahmed Samy, B. Youssef, S. El Gamal, A. El Hadi Nabeeh


Personal computer or system security relies upon basic objectives, keeping unauthorized persons from accessing resources and guaranteeing that approved persons can get to the resources they require. The most fundamental type of client authentication, especially on the Web, is the password authentication protocol. This strategy constrains you to use username/password to get into client accounts or a resource on a private system, these methods have some disadvantages; password depends on user memory, and most people use default password which is vulnerable to attacks. Hence, security is totally based on confidentiality; i.e. the quality of the password utilized and this doesn't give a solid identity check. To overcome these problems, multi-factor authentication is used. A Method called OTP (One-Time password) is used for different authentication purposes and it works only for one login session on any computing device. The first system introduced to apply one-time password was the S/KEY system which was developed to authenticate the user to the UNIX-like operating system, in which users don't have to type a long password and at the same time accessing the system doesn't depend on a single username and password combination. Many systems have evolved to the S/KEY system as a development to the idea of One-time password technique, like HMAC-Based One-Time Password Algorithm (HOTP), Time-Based One-Time Password Algorithm (TOTP), OATH Challenge-Response Algorithm (OCRA) and Short Message Service (SMS) OTP. In this paper, we conducted a survey of these one-time password techniques and how OTP tokens are generated in each one.

This paper is divided into six sections; the first one is the introduction which presents simple password attack methodologies in the field of user authentication techniques and how OTP fits into this category, and classification of available used methods; section two is a literature review of OTP methods and algorithms; in section three, we list the possible OTP attacks that can face OTP methods on the internet; section four presents the history of OTP methods by priority of appearance in technology and usage; finally we end up the paper with the conclusion in section five, while section six contains the references of the articles used in this paper.


HMAC-Based One-Time Password Algorithm (HOTP), Multi-Factor Authentication, Network Security, OATH Challenge-Response Algorithm (OCRA), One Time Password (OTP), S/KEY System, Short Message Service (SMS) OTP, Time-Based One-Time Password Algorithm (TOTP),

Full Text:



. Jesudoss A, Subramaniam N. A Survey on Authentication Attacks and Countermeasures in a Distributed Environment. Indian J Comput Sci Eng IJCSE 2014; 5:71–77.

. Istyaq S, Agrawal L. A New Technique for User Authentication Using Numeric One Time Password Scheme 2016.

. Perrin chad. One-Time Passwords Fit Multifactor Authentication 2011. (accessed June 23, 2015).

. Khankari N, Kale G. SURVEY ON ONE TIME PASSWORD. Computer Engineering and Applications 2014; VIII.

. Abdellaoui A, Khamlichi YI, Chaoui H. A Novel Strong Password Generator for Improving Cloud Authentication. Procedia Comput Sci 2016; 85:293–300. DOI: 10.1016/j.procs.2016.05.236.

. Alsaiari H, Papadaki M, Dowland P, Furnell S. Graphical One-Time Password (GOTPass): A usability evaluation. INF Secur J Glob Perspect 2016; 25:94–108. doi:10.1080/19393555.2016.1179374.

. Jadhao P, Dole L. Survey on Authentication Password Techniques. Int J Soft Comput Eng IJSCE ISSN 2013; 3:2231–2307.

. Lindell AY. Time versus Event Based One-Time Passwords. Aladdin Knowl Syst 2007.

. M’Raihi D, Rydell J, Bajaj S, Machani S, Naccache D. OCRA: OATH challenge-response algorithm. 2011.

. Stallings W. Cryptography and network security: principles and practice. Seventh edition. Boston: Pearson; 2014.

. Haller N. The S/KEY one-time password system. 1995.

. Pomeranz H. One-Time Passwords. Deer Run Assoc 2000.

. Rivest R. The MD5 message-digest algorithm 1992.

. Krawczyk H, Canetti R, Bellare M. HMAC: Keyed-hashing for message authentication 1997.

. M’Raihi D, Bellare M, Hoornaert F, Naccache D, Ranen O. Hotp: An hmac-based one-time password algorithm. 2005.

. Eastlake D, Jones P. US secure hash algorithm 1 (SHA1). RFC 3174, September; 2001.

. M’Raihi D, Rydell J, Bajaj S, Machani S, Naccache D. OCRA: OATH challenge-response algorithm. 2011.

. M’Raihi D, Machani S, Pei M, Rydell J. Totp: Time-based one-time password algorithm. 2011.

. M’Raihi D, Bellare M, Hoornaert F, Naccache D, Ranen O. Hotp: An hmac-based one-time password algorithm. 2005.

. What is time-based one-time password (TOTP)? - Definition from Search Security 2015. (accessed December 12, 2015).


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.