What is the one-time password system(OTP)?

OTP is a secured system from external attacks on its authentication subsystem. OTP does not prevent the wily cracker from eavesdropping on your network and gaining access to sensitive information, however. This cannot even be achieved solely with the use of a firewall. Network eavesdropping can be prevented only by eliminating the ability to sniff packets where sensitive data passes. OTP also does not protect the organization from `inside jobs' or against active attacks in which the potential intruder is able to intercept and modify the packet stream.

Good password security is part of your first line of defenses against system abuse. People trying to gain unauthorized access to your system often try to guess the passwords of legitimate users. Two common and related ways to attack on computing systems connected to the Internet are through the theft of the system password file and through eavesdropping on network connections to obtain user IDs and passwords of legitimate users.

The one-time password system is designed to counter user password to be captured on the network and force a user to user a different password each time he or she logs in. This is accomplished by providing the user with a password that is different for each login, whether the login attempt is successful or not. As a result, it is not possible for the passwords to be re-used in a replay attack. 

How OTP work?

The typical Unix system presents an unsecured login prompt where the user enters a passwrd. The password is sent in clear text across the local or wide area network, thereby making it easier for the cracker to steal the password.

When the OTP system is in operation, only a single-use password ever crosses the network. This one-time password consistes of six English words and therefore is not discernible from an ordinary Unix cleartext password. When using either the multi-use or single-use password, the text is sent in the clear across the network. This means that the text is not private.

OTP work by providing the user with a challenge. The challenge is a predetermined string of text, to which there is only one possible responese. OTP makes use of a seed value, an iteration value, and a secret pass phrase that is known only to the user. The challenge is composed of the seed value and the iteration value. Ther response to the challenge is generated using a special program called a calculator on the user's workstation. Using the seed an iteration values, along with the user's secret pass pharse, the response to the challenge is generated. The user's secret pass pharase never crosses the network at any time, including during login or when executing other commands requiring authentication.

什麼是動態密碼？
動態密碼(英文縮寫OTP)是一個隔絕外部攻擊的安全系統。然而，OTP不是一個能取代防火牆功能，防止cookies經由網路竊取您機密資料的系統，也不能防範來自內部網路的攻擊，那麼，OTP可以為我們提供什麼樣的保護呢？

所以，優良的密碼安全機制是抵擋攻擊的第一線，兩種最常見的網路入侵方法是竊取用戶帳號密碼，或直接竊取機密資料。一般的靜態單一密碼系統，簡單易記的密碼容易被猜測出來，而複雜的不易記憶，種種使用上的人為因素導致不安全的結果。

因應網路交易安全而生的動態密碼最大優點是，使用隨機亂數產生的密碼，根據事件每次產生不同的密碼，而且只使用一次(One-Time Password)。駭客即使攔截到這一次的密碼，也無法應用到下一次的登入。

動態密碼是如何運作的？
動態密碼透過系統或動態密碼產生裝置自動且隨機產生，市面上OTP機制有分兩種：透過動態密碼產生器(token)、OTP 讀卡機＋晶片卡，每使用ㄧ次裝置隨機產生；透過token，每60秒隨機產生一組密碼。但是，密碼產生器在產生動態密碼時並沒有與電腦連線，電腦系統要如何確認密碼的有效性並辨識使用者身分？

其實在核發晶片卡時，已經置入多樣化後的個人Key值，每張卡片Key值皆不相同，再加上每次使用都有不同的序號，Key值與使用序號決定了密碼。所以不同卡片所產生的密碼也就不同；同一張卡片但使用序號不同，所產生的動態密碼也會不一樣。而電腦系統可以驗證由個人Key值加上使用序號所一起演算出的動態密碼。