What are some efficient ways to generate challenge/response for a backdoor entry scheme?

We have a system that uses password authentication to access a database, the usernames and encrypted passwords are stored in the database. when a user forgets their password, (or the administrator leaves for greener pastures) we want to be able to generate a new password for the current administrator or generate a new administrator.

We deal with our clients via telephone support. So we want to use this scenario:

user rings up - forgotten password.

client software gen开发者_JS百科erates a challenge code based on their site license

user tells phone support staff the challenge code

phone support staff give a response code

user enters challenge and response code, and goes in the backdoor (either new user created or password of current user reset)

We want the challenge/response to only work once, we dont want to leave the backdoor open.

how should we go about it?

RFC4226, HTOP

This is the theory behind PIN calculators and you can get different implementations for it, so that you even don't have to pick up the phone but the client can generate it herself, with a mobile phone for example.

generate challenge code based on both site license and database stored password. With the new password, necessarily the next challenge code will be different. No backdoor.