How do banks (and other websites) create one-time passcodes? (OTPs)
It used to be that banks (and other sites) would text or email 4-digit codes (8374).
Now almost all have gone to 6-digit codes (287535), and a few have gone to alphanumeric codes of various lengths (like this: Yn8wrDeJ)
Are these truly random? Are the numeric codes some sort of algorithm that takes this exact millisecond and uses the last 6 digits? What about the alphanumeric ones – how are they produced?
(observation: recently almost all of the 6-digit codes I’ve received have had at least one number repeated (884709 or 547045) which I think makes them easier to remember.)
Does anyone know how they are produced?
Observing members:
0
Composing members:
0
6 Answers
I doubt that they are random.
My bank issued a TAN generator device, that is not connected to the internet, and that you have to insert your debit card into, to generate the TAN.
Therefore it seems necessary that there is a specific algorithm that generates numbers according to an identifiable pattern that the website itself can recognise, otherwise you could enter any random string of numbers and it would work.
It depends on the site.
In many cases, it is random, using one of various standard random number generators used in computing.
The odds of a 6-digit code repeating at least one digit is 1 – 0.9^6, or about 47%.
If you do a probability analysis of digits that might repeat in a 6-digit sequence, the probability is low that there will be no duplicates i.e. first digit is x = 10/10, second digit different = 9/10, third digit different = 8/10, ... multipy them together and get a low probability (15%) that there will be no duplicated digits. 85% chance that there will be.
@RocketGuy Oh, right. I thought @elbanditoroso meant two digits the same in a row – the chance IS much higher than I calculated, if they can be anywhere in the six digits!
In the case of @ragingloli’s TAN generator the bank uses a cryptographic function that uses both a unique number both parties know and the current time (or at least the number of 30 second intervals since the start of computer time. This is the same as Google Authenticator if you use it or something similar for 2fa (which you should). This way anyone who has the unique number can generate the same number at the same time.
If they are texting or emailing a number to you there’s no reason why they can use a random number but I suspect they are still using the same technology as why not.
It’s important when looking at lots of numbers (any numbers) to remember that the human brain is very good at seeing patterns if when they don’t exist.
Also for 4 digit pins where an attacker knows which 4 numbers are involved but not the order (say greasy finger marks on a screen) that having 1 digit repeat makes it harder to guess the correct order
It is a pseudo-randomn generated code with a hash based on time or a counter. It is typically a TOTP (Time-based OTP) seeing it has an expiration. Storage is the big problem here, also if the storage server gets hacked, then the randomness of your infinitely larger string would not matter. Instead, servers generate a OTP based on some seed value (randomly generated / time value / etc). This required no storage, a little bit of computing power, that’s it.
Answer this question
This question is in the General Section. Responses must be helpful and on-topic.