How to create pins with one password (aka Google 2-Factor-Auth)

maybe some of you know Googles 2-Factor-Authentication; first Google generates a constant password (eg. "abcd"). If you login, you're asked for a pin, an app can generate that or you can use one of 10 preset pins. The interesting part is, that you don't have to use one pin, the app generates a random one without using ne开发者_开发知识库twork access.

How is that done? I know how to do it with one specific pin, but how could you use several "random" pins?

Thanks, Marc

This is made possible by systems like HOTP (hash-based OTP). The RFC explains how it works in detail, but in short:

1. The server generates a random secret key and shares it with the OTP generator.
2. Both server and OTP generator initialize a counter to 0.
3. When the user requests a new key from the OTP generator, it increments the counter, calculates the HMAC of it using the shared key, and encodes part of the hash in a specified way, resulting in a numeric code.
4. When the server receives an OTP code, it performs the same calculation, accepting it if it matches. If it does not, it tries again with several other (larger) counter IDs in case the user skipped one or more IDs.

Pre-generated lists of OTPs are simply produced as described above, ahead of time.

I believe that Google does it by computing multiple pins that it thinks you could use, and is willing to accept any of these that match.

This is an important usability feature, because it means that if someone fails to login once using 2-factor, they can try to login another time and still be OK.