4

From RFC 4226 I understand how HOTP generates one-time passwords by incrementing a counter and uses the 'look-ahead' window to try to resynchronise (from this counter), if the user tries a few wrong passwords.

Say the user leaves their token with their cat, which decides to generate 200 passwords while rolling around with it. This would likely desynchronise the system such that the user will not be able to login in, even with the look-ahead.

I assume the user would need assistance to reset the system, but what are the actual steps to doing this?

Additionally, what would be a good number for the parameter w? 10? 50? 100?

Community
  • 1
Jim
  • 41
  • 2

2 Answers2

5

The usual resynchronization method involves getting several consecutive codes from the token and then running the algorithm once with a very large look-ahead window until the set of consecutive codes are found. The number of consecutive codes needed depends on how far off the token is.

With a typical token, two codes would suffice to handle a desynch of 200. Many HOTP systems will simply ask you for a second code and fix a desynch of less than 500 codes or so by themselves.

David Schwartz
  • 4,739
  • 21
  • 31
1

As I understand, the user's token normally can't be reset (without destroying it).

So, the assistance would consist in either giving a new token to the user (and declaring the old one invalid), or in stepping the server ahead until it matches again (i.e. running the algorithm once with a really large window size).

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119