Editing Authenticator (section)

====OATH OTP====
[[File:Aegis Authenticator 3.2 screenshot.png|thumb|upright=1.1|Example of one-time passwords]]
One-time passwords (OTPs) have been used since the 1980s.{{citation needed|date=March 2019}} In 2004, an Open Authentication Reference Architecture for the secure generation of OTPs was announced at the annual [[RSA Conference]].<ref>{{cite web |last1=Kucan |first1=Berislav |title=Open Authentication Reference Architecture Announced |url=https://www.helpnetsecurity.com/2004/02/24/open-authentication-reference-architecture-announced/ |publisher=Help Net Security |access-date=26 March 2019 |date=24 February 2004}}</ref><ref>{{cite web |title=OATH Specifications and Technical Resources |url=https://openauthentication.org/specifications-technical-resources/ |publisher=[[Initiative for Open Authentication]] |access-date=26 March 2019}}</ref> The [[Initiative for Open Authentication]] (OATH) launched a year later.{{citation needed|date=March 2019}} Two IETF standards grew out of this work, the [[HMAC-based One-time Password algorithm|HMAC-based One-time Password (HOTP) algorithm]] and the [[Time-based One-time Password algorithm|Time-based One-time Password (TOTP) algorithm]] specified by RFC&nbsp;4226 and RFC&nbsp;6238, respectively. By OATH OTP, we mean either HOTP or TOTP. OATH certifies conformance with the HOTP and TOTP standards.<ref name="OATH-cert">{{cite web |title=OATH Certification |url=https://openauthentication.org/oath-certification/ |publisher=The [[Initiative for Open Authentication]] (OATH) |access-date=3 February 2019}}</ref>

A traditional password (''something that one knows'') is often combined with a one-time password (''something that one has'') to provide two-factor authentication.<ref name="Hoffman-Andrews and Gebhart 2017">{{cite web |last1=Hoffman-Andrews |first1=Jacob |last2=Gebhart |first2=Gennie |title=A Guide to Common Types of Two-Factor Authentication on the Web |url=https://www.eff.org/deeplinks/2017/09/guide-common-types-two-factor-authentication-web |publisher=[[Electronic Frontier Foundation]] |access-date=26 March 2019 |date=22 September 2017}}</ref> Both the password and the OTP are transmitted over the network to the verifier. If the password agrees with the previously shared secret, and the verifier can confirm the value of the OTP, user authentication is successful.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

A well-known example of an OATH authenticator is [[Google Authenticator]],<ref name="Google-Authenticator">{{cite web |title=Google Authenticator |website=[[GitHub]] |url=https://github.com/google/google-authenticator/wiki |access-date=3 February 2019}}</ref> a phone-based authenticator that implements both HOTP and TOTP.