Home/ Questions/Q 6047837
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T07:23:45+00:00

maybe some of you know Googles 2-Factor-Authentication; first Google generates a constant password (eg.

  • 0

maybe some of you know Googles 2-Factor-Authentication; first Google generates a constant password (eg. “abcd”).
If you login, you’re asked for a pin, an app can generate that or you can use one of 10 preset pins. The interesting part is, that you don’t have to use one pin, the app generates a random one without using network access.

How is that done? I know how to do it with one specific pin, but how could you use several “random” pins?

Thanks,
Marc

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is made possible by systems like HOTP (hash-based OTP). The RFC explains how it works in detail, but in short:

    1. The server generates a random secret key and shares it with the OTP generator.
    2. Both server and OTP generator initialize a counter to 0.
    3. When the user requests a new key from the OTP generator, it increments the counter, calculates the HMAC of it using the shared key, and encodes part of the hash in a specified way, resulting in a numeric code.
    4. When the server receives an OTP code, it performs the same calculation, accepting it if it matches. If it does not, it tries again with several other (larger) counter IDs in case the user skipped one or more IDs.

    Pre-generated lists of OTPs are simply produced as described above, ahead of time.

    • 0