i have a hardware token for remote login to some citrix environment.
When i click the button on the device, i get an id and i can use that to login to the citrix farm. I can click the button as much as i like, and every time a new code gets generated, and they all work.

Now i want to secure my private website likewise, but not with the hardware token, but with a ‘token app’ on my phone. So i run an app on my phone, generate a key, and use that to (partly) authenticate myself on the server.

But here’s the point: i don’t know how it works! How can i generate 1, 2 or 100 keys at one time which i can see (on the server) are all valid, but without the server and the phone app having contact (the hardware token also is an ‘offline’ solution).

Can you help me with a hint how i would do this?

This is what i thought of so far: the phone app and the server app know (hardcoded) the same encryption key. The phone app encrypts the current time. The server app decrypts the string to the current time and if the diff between that time and the actual server time is less than 10 minutes it’s an ok.
Difficult for other users to fake a key, but encryption gives such nasty strings to enter, and the hardware token gives me nice things like ‘H554TU8’
And this is probably not how the real hardware token works, because the server and the phone app must ‘know’ the same encryption key.

Michel