

OTPW – A one-time password login package - gnosis
http://www.cl.cam.ac.uk/~mgk25/otpw.html

======
jgrahamc
Very similar to Steve Gibson's Perfect Paper Passwords scheme:
<https://www.grc.com/ppp.htm> I wrote a Java implementation for phones
([http://www.jgc.org/blog/2007/10/java-client-
implementation-o...](http://www.jgc.org/blog/2007/10/java-client-
implementation-of-steve.html)). This was my one and only foray into program
for J2ME. I suspect that's something you only do once unless someone pays you
a lot of money.

------
bobds
This would be a great feature in a lot of web-based apps. Generate a few
hundred passwords when you are on a secure connection, use them when needed.

Edit: I found a few implementations.

<http://wordpress.org/extend/plugins/one-time-password/>

<http://alexking.org/blog/2008/06/27/phonefactor-10>

<http://henrik.schack.dk/yubikey-plugin/>

[http://blog.fastmail.fm/2008/07/21/one-time-and-sms-
password...](http://blog.fastmail.fm/2008/07/21/one-time-and-sms-passwords/)

<http://squirrelmail.org/plugin_view.php?id=276>

Yubikey looks interesting and they also have a web service API.

<http://www.yubico.com/products/yubikey/>
<http://www.yubico.com/developers/api/>

MyPW is another web service: <https://www.mypw.com/>

OpenOTP supports both hardware tokens (also supports Yubikeys) and all kinds
of phones.

<http://www.rcdevs.com/products/openotp/>

~~~
gnosis
Before you trust Yubikey, you might want to read about its weaknesses:

<http://security.dj/?p=4>

------
lolipop1
So this is basically solve the same problems as
<http://en.wikipedia.org/wiki/SecurID>, but using a paper sheet instead of a
hardware/software generated key?

~~~
gnosis
They are similar, but each has its advantages and disadvantages. According to
the OTPW site:

 _"Admittedly, the security obtained by OTPW is not comparable with that of a
challenge-response system in which the user has a PIN protected special
calculator that generates the response. On the other hand, a piece of paper is
much more portable, much more robust, and much cheaper than a special
calculator. OTPW was designed for the large user base, for which an extra
battery-powered device is inconvenient or not cost effective and who therefore
still use normal Unix passwords everywhere."_

