One-time password authentication employing local testing of candidate passwords from one-time password server

摘要

A computing system has a local computing domain coupled to a one-time password (OTP) server. The OTP server maintains user-specific secret data used in a one-time-password (OTP) process to generate OTPs for user authentication. An authentication server in the computing domain sends an OTP request identifying a user to the OTP server. The OTP server executes the OTP process to generate a set of candidate OTPs, any one of which is expected to match a user-generated OTP for a valid authentication. The OTP server returns a response to the authentication server which includes second hashed OTP values, each generated by applying a hash function to a respective candidate OTP. The authentication server performs a comparison function between a first hashed OTP value from the user and the second hashed OTP values. Only upon determining that the first hashed OTP value matches one of the second hashed OTP values, the authentication server performs a protected function in the computing domain that is permitted only upon authentication of the user. Applications include authentication in a ticket-based authentication scheme such as a Kerberos system, in which the protected function may be the granting of a ticket-granting ticket enabling the user to engage service servers in the computing domain.