We implemented OTP as one of many authentication methods for a network appliance. The appliances were used for "back door" access into server infrastructure.
I was tasked by our test group to read through the documents available and come up with a method for comprehensively testing OTP functionality.
There are a couple of major issues:
- generate "one-time pads" of passwords
- recovery in the case of a loss-of-sequence
You sometimes don't get proper challenge/authenticate success, for whatever reason. It is important to understand how to recover from that scenario; which password works next in sequence.
I had to surrender all my notes on the subject, so I am working from my leaky memory, here : )
|