Tableless and Secure One-Time Password (OTP)
A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.
Common requirements of One Time passwords are:
- Statistically unique – using the same password for all requests is probably not the right security choice.
- Hard to ‘guess’ – using sequential number is again, probably not the right security choice.
- Can be authenticated by the server – the server needs to distinguish between real OTP and bogus OTP.
- Good for one time – after the process is done the OTP should no longer be valid.
- Time limited – the OTP usually expires after a configurable amount of time.
- Secure – hackers should have a hard time changing the expiry date, username context and so forth.
Most OTP implementations use a Database table to persist the OTP and to manage their expiry date, a DB table might look like this:
id | User Id | OTP | Expire date |
---|---|---|---|
1 | Amir | Asfsd3434bgddh | 1/1/2010 |
2 | Someone | Ddfsd3345ssfsss | 7/1/2010 |
While this is a valid solution, it is not the most efficient and elegant one, the truth is that you do not need an additional table enable and manage OTPs.
The answer is simple – the seed for this OTP is already persisted in the Database in the form of the old password (or more exactly the old password hash)
Here is how it is done: