A One-Time Password System
RFC 2289

Document Type RFC - Internet Standard (February 1998; No errata)
Obsoletes RFC 1938
Also known as STD 61
Authors Philip Nesser  , Mike Straw  , Craig Metz  , Neil Haller 
Last updated 2013-03-02
Stream Internet Engineering Task Force (IETF)
Formats plain text html pdf htmlized (tools) htmlized bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2289 (Internet Standard)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                        N. Haller
Request for Comments: 2289                                    Bellcore
Obsoletes: 1938                                                C. Metz
Category: Standards Track                   Kaman Sciences Corporation
                                                             P. Nesser
                                            Nesser & Nesser Consulting
                                                              M. Straw
                                                         February 1998

                       A One-Time Password System

Status of this Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.


   This document describes a one-time password authentication system
   (OTP). The system provides authentication for system access (login)
   and other applications requiring authentication that is secure
   against passive attacks based on replaying captured reusable
   passwords. OTP evolved from the S/KEY (S/KEY is a trademark of
   Bellcore) One-Time Password System that was released by Bellcore and
   is described in references [3] and [5].


   One form of attack on networked computing systems is eavesdropping on
   network connections to obtain authentication information such as the
   login IDs and passwords of legitimate users. Once this information is
   captured, it can be used at a later time to gain access to the
   system. One-time password systems are designed to counter this type
   of attack, called a "replay attack" [4].

   The authentication system described in this document uses a secret
   pass-phrase to generate a sequence of one-time (single use)
   passwords.  With this system, the user's secret pass-phrase never
   needs to cross the network at any time such as during authentication

Haller                      Standards Track                     [Page 1]
RFC 2289               A One-Time Password System          February 1998

   or during pass-phrase changes. Thus, it is not vulnerable to replay
   attacks.  Added security is provided by the property that no secret
   information need be stored on any system, including the server being

   The OTP system protects against external passive attacks against the
   authentication subsystem. It does not prevent a network eavesdropper
   from gaining access to private information and does not provide
   protection against either "social engineering" or active attacks [9].


   There are two entities in the operation of the OTP one-time password
   system. The generator must produce the appropriate one-time password
   from the user's secret pass-phrase and from information provided in
   the challenge from the server. The server must send a challenge that
   includes the appropriate generation parameters to the generator, must
   verify the one-time password received, must store the last valid
   one-time password it received, and must store the corresponding one-
   time password sequence number. The server must also facilitate the
   changing of the user's secret pass-phrase in a secure manner.

   The OTP system generator passes the user's secret pass-phrase, along
   with a seed received from the server as part of the challenge,
   through multiple iterations of a secure hash function to produce a
   one-time password. After each successful authentication, the number
   of secure hash function iterations is reduced by one.  Thus, a unique
   sequence of passwords is generated.  The server verifies the one-time
   password received from the generator by computing the secure hash
   function once and comparing the result with the previously accepted
   one-time password.  This technique was first suggested by Leslie
   Lamport [1].


   In this document, the words that are used to define the significance
   of each particular requirement are usually capitalized.  These words

     - MUST

       This word or the adjective "REQUIRED" means that the item is an
       absolute requirement of the specification.

Haller                      Standards Track                     [Page 2]
RFC 2289               A One-Time Password System          February 1998

     - SHOULD

       This word or the adjective "RECOMMENDED" means that there might
       exist valid reasons in particular circumstances to ignore this
       item, but the full implications should be understood and the case
       carefully weighed before taking a different course.
Show full document text