U
U
Uncle Seryozha2017-11-01 12:58:04
Programming
Uncle Seryozha, 2017-11-01 12:58:04

What are text-based OTPs?

Hi, tell me what are the algorithms for generating OTP based on the text provided by the client. Based on OTP generation counters TOTP, HOTP are not suitable.
Purpose: the client throws off the payment, we generate the OTP based on the payment and send the OTP to the client via SMS / PUSH, the ultimate goal in the future is to be able to simultaneously generate the OTP, as it were, create a payment identifier.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
S
Sly_tom_cat ., 2017-11-01
@Protos

And why exactly OTP TOTP, HOTP are not suitable?
If you don't like the time and the counter - put a hash from your document on the input of the algorithm. But only it will no longer be OTP, because. one document will always have the same password.

N
Nikolai Korabelnikov, 2017-11-15
@nmk2002

There is an OATH OCRA algorithm (RFC 6287). The principle is this: the
user sees the server request in the browser, enters it in the OTP generator, and the one-time password is displayed on the generator. The user enters this password in the browser. The truth is not at all what you described. Here the password itself is generated on the client side. But what you want may not be safe. One-time codes that the user receives via SMS / push channels for their further direct use as passwords must be randomly generated and must not depend on the input data. Otherwise, all your security will be based on ignorance / complexity of your algorithm. Life has proven many times that "security through obscurity" is a bad defense.
Since you are considering a push channel for interacting with a client, you will look at authentication and electronic signature methods using a smartphone as a token. Only not an OTP token, but a cryptographic token with asymmetric keys. Everything is much simpler than it might seem at first glance. If it is necessary to sign a document (similarly for authentication), the user receives a push message on the smartphone, by tapping on it, the details of the transaction are opened, which the user accepts and signs in the usual way (PIN, fingerprint, FaceID).
I can answer questions about such software or, if you want, demonstrate the implementation of such authentication / signature.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question