Today, people often use Internet banking to pay bills, alimony, and loans. New technologies allow a person, sitting at a computer, to open an account or a deposit, to check the balance of money on his card. Using Internet banking allows you to significantly save time without spending money on paying a commission in most cases. All you need is access to your personal account in the system Online Sberbank.

Not everyone knows how to get a list of one-time passwords in order to further confirm committed personal account Sberbank operations.

The need to obtain identification data

To conduct operations with accounts and cards, a person must first receive a permanent password. This can be done in several ways, for example, contact a bank branch. Most often, people use ATMs to get data.

Generation occurs automatically at the request of the cardholder. The data can be changed later. It is best to use complex combinations to increase the security level of your personal account.

Why do you need a one-time password?

One Time Password is needed for additional verification of the identity of a Sberbank client. Such an identification system is necessary:

1. upon authorization in your personal account;
2. when performing various operations with their cards, deposits, accounts through the Internet banking system.

Exist the following types one-time passwords:

• checks printed using ATMs or terminals (they contain 20 different passwords at once);
• passwords received in a message from Sberbank to the phone directly during a specific operation.

Some operations in the Sberbank Online system can be carried out only after it is confirmed with an SMS password.

Any monetary transactions It is recommended to use one-time passwords. The user can disable Sberbank Online, but this will not save him from using one-time passwords at all. Yes, working with various programs bank, their input will be required to confirm transactions.

Receiving one-time passwords

There are several ways to obtain one-time passwords. We must not forget that in order to work in the Internet banking system, you will need a login and a permanent password.
Via Sberbank ATM
The client must be a holder of a debit (credit will not work) card of Sberbank of the Russian Federation. It could be salary or payment card. If one is available, then you need to take it with you and go to the nearest terminal or ATM (the procedure for obtaining it is identical).

1. It is necessary to insert the card into the card reader.
2. Enter the confirmation code at the request of the system.
3. The main menu will appear, in which you should click on the "Sberbank Online and Mobile Bank" section. If the ATM has old software installed, then this item will not be there. In this case, you will need to click on the "Internet service" button.
4. In the menu that opens, click on the "Get a list of one-time passwords" button. The ATM will print out a list of passwords, there are 20 of them.

The passwords in the list are timeless. If the user prints out new passwords, then the old ones become invalid - they can no longer be used.

To make it more convenient for the client to use passwords, they all have their own number. When making any transactions on the Internet, the Internet banking system will require the user to enter a one-time password with a specific number. They are requested in random order, so you need to pay attention to the system message asking you to enter a one-time password.

It is necessary to pay attention to the fact that payments and transfers, which are confirmed by a one-time password from a check, cannot exceed the amount of 3,000 rubles.

After all 20 passwords from the check are over, you need to get new ones in the same way as the previous ones.

If the check with passwords was lost or its data became known to someone else, then you need to immediately print new ones or block old ones. To do this, call the contact center on one of the following numbers –

• +7 (4 9 5 ) 5 0 0 - 5 5 5 0 ;
• +7 (8 0 0 ) 5 5 5 - 5 5 5 0 .

Via SMS
This method of obtaining one-time passwords is available only to those customers who have previously connected the Mobile Banking service to their card. This can be done by contacting any branch of Sberbank or using a terminal (ATM). Another option for connecting the Mobile Bank is to call the contact center. To do this, you will need to provide control information, which is better to prepare in advance.

When making any operation through Sberbank Online, the user receives messages with one-time passwords on his cell phone (one password - one message). The entrance must be carried out through the card to which the Mobile Bank is connected. Otherwise, you will need to use the list of one-time passwords from the receipt.

When viewing the sent message, you need to make sure that the details of the operation are correct. To do this, you need to compare the data entered in the Sberbank Online system with information from SMS.

Each one-time password is used only once and cannot be reused. If the user has made a request for a new one-time password, the old one is cancelled. It will no longer be possible to use it.

Messages with one-time passwords always come from the Sberbank short number 900. The following transaction details are indicated in the SMS:

• the number of the card or account with which the transaction is being made;
• transaction amount;
• password to confirm the operation.

There may be other data, depending on the type of operation performed.

Procedure for entering one-time passwords

Based on the system settings of your personal account, you may be allowed to use one or more types of transaction confirmation with one-time passwords. If both methods can be used, then the system will give the performer a choice before confirming.

If the user selects confirmation from a check, then the check number and password will appear next to the fill field.

If confirmation comes to the phone in the form of SMS, then the received password should be rewritten already in the line "Enter SMS password".

After the password is entered, the system will prompt you to check all the details again. If all of them are filled in correctly, then you need to click on the "Confirm" button.

What is the best way to get it?

If a person knows how to use one-time passwords in the Online Sberbank system, he has another question - which of the available methods is the most convenient and reliable?

In order to authorize in the system using the data of the card connected to the Mobile Bank, the one-time password received in the message will be needed to enter in any case. But operations can be confirmed in any way convenient for the user. SMS passwords do not always arrive on time. Sometimes they are sent with a delay. And each of them is valid only for 5 minutes. If the system or mobile communication fails, then it is better to use the passwords from the check to confirm.

Obtaining a user ID and one-time password through an ATM or usingSMS.

One-time password via ATM.

You can also get a user ID and a permanent password using a Sberbank self-service device.We insert the card, enter the PIN code. Further in the list, select the item “Connect Sberbank Online and Mobile Bank"", go to a new page. Here you will need to click on the "Print one-time passwords" tab and receive them in the form of a receipt.

If you have not yet connected to the system, then first select the "Print ID and password" item and receive this data on the receipt. After that, re-insert the card, enter the pin code and repeat all the steps described above.

One-time password via SMS.

For security purposes, when logging into the system or when performing risky operations, additional user authentication is performed using a one-time password.

Clients who use the mobile banking service can receive a one-time password. The bank sends a one-time password to the user's mobile device during the operation. The user receives an SMS message containing the parameters of the operation for which the password is intended. Please note that the one-time password must be used within 5 minutes and only to confirm the completion of a certain action.

Attention! Before entering a one-time password, it is necessary to verify the details of the operation being performed with the details specified in the SMS message. If messages are received on behalf of Sberbank with the details of a transaction that you did not perform, do not enter a one-time password in the appropriate forms and do not disclose it to anyone, even if you are contacted on behalf of Sberbank employees.

An example of an SMS in the case of an operation to generate a payment template

54321 is a one-time password that is used to confirm the formation of the template.

An example of an SMS for a transfer operation

54321 — one-time password confirming the transfer.

An example of an SMS for a payment transaction

54321 — a one-time password confirming the payment.

Confirmation of operations with a one-time password:

In order to confirm the operation, a message is sent to the phone connected to the mobile banking service with the parameters of the operation and a password for confirmation.

To complete the operation, you need to enter the password in the appropriate field and click the button CONFIRM.

We hope you managed to get one-time passwords from Sberbank.

The use of OTP (One Time Password) is an additional layer of security when working with trading accounts. Each time the user connects to the account, they are required to enter a unique one-time password.

Also acts as a one-time password generator.

To start using one-time passwords, you need to link your trading account with a password generator, which is a mobile platform for iPhone or Android.

Enable OTP on iPhone

Go to the "Settings" section of the mobile platform and select the OTP item. When first opened this section For added security, a four-digit password is required. The password will need to be entered each time to access the password generator.

Additional commands:

• Synchronize time - synchronize the time of the mobile device with the reference server. The requirement for accuracy is due to the fact that the one-time password is tied to the current time interval, and this time must match on the side of the trading platform and the server.

Enable OTP on an Android device

Go to the "Accounts" section of the mobile terminal and press . The first time you open this section, you are required to set a four-digit password for added security. The password will need to be entered each time to access the password generator.

In the window that opens, select "Link to account".

Next, specify the name of the server on which the trading account is opened, the account number and the main password for it. The Bind option should be left enabled. It must be turned off if you are going to untie the specified account from the generator and no longer use one-time passwords.

After clicking the "Link" button located in the upper part of the window, the trading account will be linked to the generator, a corresponding message will appear.

Similarly, you can link an unlimited number of trading accounts to the generator.

The one-time password is displayed at the top of the OTP section. Under it, a blue bar displays the time indicator for the current password. Once the time expires, the password will become invalid and a new one will be generated.

Additional commands:

• Change password - change the password for accessing the generator.
• Synchronize time - synchronize the time of the mobile device with the reference server. The requirement for accuracy is due to the fact that the one-time password is tied to the current time interval, and this time must match on the side of the client terminal and the server.

Using OTP in the platform

After binding to the generator when trying to connect via trading platform using a trading account, a one-time password will be additionally requested:

As recent studies show, one of the most serious problems for companies in the field of information security- unauthorized access to computer systems. According to the CSI/FBI Computer Crime and Security Survey 2005, 55% of companies reported data breaches last year. Moreover, in the same year, companies lost an average of $303,000 due to unauthorized access, and compared with 2004, losses increased six times.

Naturally, for Russian companies, the loss figures will be completely different, but this does not change the problem itself: unauthorized access does cause serious damage to companies, regardless of whether this management is aware of it or not.

It is clear that the reliability of protection against this threat primarily depends on the quality of the user authentication system. Today, talking about information security without being tied to personalized access and tracking all user actions on the network simply does not make sense. However, when it comes to user authentication on computers included in the corporate local network, there are no particular difficulties. The market offers many different solutions, including smart cards and electronic keys, biometric authentication tools, and even such exotic things as graphic passwords.

The situation is somewhat different if the user needs to connect to the corporate computer network remotely, for example, via the Internet. In this case, he may face a number of problems, which we will consider in more detail.

Pitfalls of remote access

Being in an untrusted environment (outside the office), the user is faced with the need to enter a password from someone else's computer (for example, from an Internet cafe). Passwords are cached, like any other information entered into the computer, and if desired, someone else can use them for their own selfish purposes.

Quite common today is such a type of computer fraud as sniffing (from the English sniff - sniff) - the interception of network packets by an attacker in order to identify information of interest to him. Using this technique, a hacker can "sniff out" the user's password and use it for unauthorized access.

Simple password protection (especially for remote access) is seriously tested by a new generation of spyware that quietly enters a user's computer during normal "flipping" of Web pages. The virus can be programmed to filter the information streams of a particular computer in order to identify combinations of characters that can serve as passwords. The "spy" sends these combinations to its creator, and the only thing left for him to do is to reveal the required password.

It is clear that the hardware method of organizing secure access to the network is several times more reliable than simple passwords, but how can you use a smart card or USB key while you are away from the office again? Most likely, this will not succeed, since the first device needs at least a reader, the second one needs a USB port, which can be blocked (Internet cafe) or, worse, it may simply not be in the device from which the user is trying to get access (PDA, mobile phone, smartphone, etc.). Needless to say, for the operation of hardware - smart cards and USB keys - you need the appropriate software, which is hardly possible to install in the same Internet cafe.

Meanwhile, situations when it is necessary to remotely receive or send information arise quite often. Take, for example, electronic banking systems: it is easy to imagine a situation where a user needs access to secure banking resources to remotely manage their account. Today, some banks have realized the need for hardware-based authorization using a USB key. But for a number of reasons described above, it is far from always possible to use it.

The specifics of the business of many large companies often oblige them to provide access to their own resources to third-party users - partners, customers, suppliers. Today in Russia, such type of cooperation as outsourcing is actively gaining momentum: a subcontractor company may well need access to the customer's protected resources to perform work on an order.

The need to connect to a corporate network with a strong authentication scheme, with only a PDA or smartphone at hand, can become a serious problem if the user is at a conference, negotiations or other business events. Just for mobile applications, as well as for organizing access to the necessary information from those places where it is impossible to install special software, the concept of one-time passwords OTP - One-Time Password was developed.

One-time password: entered and forgotten

A one-time password is a keyword that is valid for only one authentication process for a limited amount of time. Such a password completely solves the problem of possible interception of information or banal peeping. Even if an attacker can get the "victim's" password, the chances of using it to gain access are zero.

The first implementations of the concept of one-time passwords were based on a static set of keywords, i.e., a list of passwords (keys, code words, etc.) was first generated, which users could then use. A similar mechanism was used in the first banking systems with the possibility of remote account management. Upon activation of this service, the client received an envelope with a list of their passwords. Then, each time he accessed the system, he used the next keyword. Having reached the end of the list, the client went to the bank for a new one. Such a decision had whole line shortcomings, the main of which is low reliability. Still, it is dangerous to constantly carry a list of passwords with you, it is easy to lose it or it can be stolen by intruders. And then, the list is not endless, but what if at the right time it will not be possible to get to the bank?

Fortunately, today the situation has changed in the most radical way. Generally speaking, in Western countries, one-time passwords for authentication in information systems have become commonplace. However, in our country, OTP technology remained inaccessible until recently. And only recently, company management began to realize how much the risk of unauthorized access increases when working remotely. Demand, as you know, creates supply. Now products that use one-time passwords for remote authentication have gradually begun to take their place in the Russian market.

IN modern technologies OTP authentication uses dynamic keyword generation using strong cryptographic algorithms. In other words, the authentication data is the result of encrypting some initial value with the user's private key. This information both the client and the server have it. It is not transmitted over the network and is not available for interception. Information known to both sides of the authentication process is used as the initial value, and an encryption key is created for each user when it is initialized in the system (Fig. 1).

It is worth noting that at this stage in the development of OTP technologies, there are systems that use both symmetric and asymmetric cryptography. In the first case, both parties must have the secret key. In the second, only the user needs the secret key, and the authentication server has it public.

Implementation

OTP technologies were developed as part of the Open Authentication (OATH) industry initiative launched by VeriSign in 2004. The essence of this initiative is to develop a standard specification for truly strong authentication for various Internet services. Moreover, we are talking about a two-factor determination of user rights, during which the latter must "show" a smart card or USB token and his password. Thus, one-time passwords may eventually become the standard means of remote authentication in various systems.

Today, several options for implementing one-time password authentication systems have been developed and are being used in practice.

Request-response method. The principle of its operation is as follows: at the beginning of the authentication procedure, the user sends his login to the server. In response, the latter generates some random string and sends it back. The user encrypts this data using his key and returns it to the server. The server at this time "finds" the secret key of the given user in its memory and encodes the original string with its help. Next, a comparison of both encryption results is carried out. If they match completely, the authentication is considered successful. This method of implementing one-time password technology is called asynchronous, since the authentication process does not depend on the history of the user with the server and other factors.

"Answer only" method. In this case, the authentication algorithm is somewhat simpler. At the very beginning of the process, the user's software or hardware independently generates the initial data, which will be encrypted and sent to the server for comparison. In this case, the value of the previous request is used in the process of creating a row. The server also has this information; knowing the username, it finds the value of its previous request and generates exactly the same string using the same algorithm. Encrypting it using the user's secret key (it is also stored on the server), the server receives a value that must completely match the data sent by the user.

Time synchronization method. In it, the current timer readings of a special device or computer on which a person works are used as the initial line. In this case, not an exact indication of the time is usually used, but the current interval with pre-set boundaries (for example, 30 s). This data is encrypted with a private key and sent in cleartext to the server along with the username. The server, upon receiving an authentication request, performs the same actions: it receives the current time from its timer and encrypts it. After that, he only has to compare two values: calculated and received from a remote computer.

Method "synchronization by event". In principle, this method is almost identical to the previous one, only the number of successful authentication procedures carried out before the current one is used as the initial string, not the time. This value is calculated by both parties separately from each other.

In some systems, so-called mixed methods are implemented, where two types of information or even more are used as the initial value. For example, there are systems that take into account both authentication counters and built-in timers. This approach avoids many disadvantages of individual methods.

OTP technology vulnerabilities

The technology of one-time passwords is considered quite reliable. However, for the sake of objectivity, we note that it also has drawbacks to which all systems that implement the OTP principle in its pure form are subject. Such vulnerabilities can be divided into two groups. The first includes potentially dangerous "holes" inherent in all methods of implementation. The most serious of them is the possibility of spoofing the authentication server. In this case, the user will send his data directly to the attacker, who can immediately use them to access the real server. In the case of the "request-response" method, the attack algorithm is slightly more complicated (the hacker's computer must play the role of an "intermediary", passing through the process of information exchange between the server and the client). However, it is worth noting that in practice it is not at all easy to carry out such an attack.

Another vulnerability is inherent only to synchronous methods and is related to the fact that there is a risk of information desynchronization on the server and in the user's software or hardware. Suppose, in some system, the initial data are the readings of internal timers, and for some reason they no longer coincide with each other. In this case, all user attempts to authenticate will fail (error of the first kind). Fortunately, in such cases, an error of the second kind (the admission of "foreign") cannot arise. However, the probability of occurrence of the described situation is also extremely small.

Some attacks are applicable only to certain ways of implementing one-time password technology. For example, let's take the timer synchronization method again. As we have already said, time is not taken into account in it with an accuracy of a second, but within some predetermined interval. This is done taking into account the possibility of timer desynchronization, as well as the appearance of delays in data transmission. And it is precisely this moment that an attacker can theoretically use to gain unauthorized access to a remote system. To begin with, the hacker "listens" the network traffic from the user to the authentication server and intercepts the login and one-time password sent by the "victim". Then he immediately blocks his computer (overloads it, breaks the connection, etc.) and sends authorization data from himself. And if the attacker manages to do this so quickly that the authentication interval does not have time to change, then the server recognizes him as a registered user.

It is clear that for such an attack, an attacker must be able to listen to traffic, as well as quickly block the client's computer, and this is not an easy task. The easiest way to meet these conditions is when the attack is planned in advance, and to connect to the remote system, the "victim" will use a computer from a foreign local network. In this case, the hacker can "work" on one of the PCs in advance, being able to control it from another machine. You can protect yourself from such an attack only by using "trusted" working machines (for example, your own laptop or PDA) and "independent" secure (for example, using SSL) Internet access channels.

Implementation quality

The reliability of any security system largely depends on the quality of its implementation. All practical solutions have their drawbacks that attackers can use for their own purposes, and these "holes" are often not directly related to the technology being implemented. This rule is fully applicable to authentication systems based on one-time passwords. As mentioned above, they are based on the use of cryptographic algorithms. This imposes certain obligations on the developers of such products - after all, poor performance of any algorithm or, for example, a random number generator can jeopardize the security of information.

One-time password generators are implemented in two ways: software and hardware. The first of them, of course, is less reliable. The fact is that the client utility must store the user's secret key. This can be done more or less securely only by encrypting the key itself based on a personal password. In this case, it should be taken into account that the client utility must be installed on the device (PDA, smartphone, etc.) from which the session is currently running. Thus, it turns out that the authentication of an employee depends on a single password, despite the fact that there are many ways to find out or guess it. And this is far from the only vulnerability of the software one-time password generator.

A variety of devices for hardware implementation of OTP technologies are incomparably more reliable. For example, there are devices that look like a calculator (Fig. 2): when you enter a set of numbers sent by the server into them, they generate a one-time password based on the embedded secret key (the "request-response" method). The main vulnerability of such devices is related to the fact that they can be stolen or lost. You can protect the system from an intruder only if you use reliable protection of the device memory with a secret key.

Rice. 2. RSA SecurID OTP device.

This approach is implemented in smart cards and USB tokens. To access their memory, the user must enter their PIN. We add that such devices are protected from PIN-code selection: when you enter it three times wrong value they are blocked. Reliable storage of key information, hardware generation of key pairs and execution of cryptographic operations in a trusted environment (on a smart card chip) do not allow an attacker to extract the secret key and make a duplicate of the one-time password generation device.

OTP Implementation Example

So, smart cards and USB tokens are considered the most reliable one-time password generators, protected from almost all implementation vulnerabilities. Moreover, the latter are clearly more convenient: they can be used on any PC or laptop without additional readers that are required for smart cards. Moreover, there is an implementation of a USB dongle with OTP technology, which can work without a USB port. An example of such an electronic key is eToken NG-OTP from Aladdin (Fig. 3).

It is worth noting that Aladdin (http://www.aladdin.com) is actively involved in promoting the OATH initiative mentioned above, and the key discussed here was chosen as the main component of the VeriSign Unified Authentication solution. True, it is called differently in this system: eToken VeriSign. The main purpose of this solution is to increase confidence in transactions concluded via the Internet, and it is based on strong two-factor authentication based on a hardware key. Such OEM deliveries of the eToken NG-OTP product confirm its quality and compliance with all OATH specifications.

Devices of the eToken series are quite widespread in Russia. Such leading manufacturers as Microsoft, Cisco, Oracle, Novell, etc. provide their support in their products (the "track record" of eToken has more than 200 implementations with information security applications).

So, eToken NG-OTP is based on another hardware key, the most popular model in the line is eToken PRO. It is a full-fledged token based on a secure memory smart card chip that can be used to securely store key information, user profiles and other confidential data, to perform cryptographic calculations in hardware and work with X.509 asymmetric keys and certificates.

In the eToken NG-OTP dongle, in addition to the modules that implement the capabilities described above, there is a hardware one-time password generator (Fig. 4). It works according to the "synchronization by event" method. This is the most reliable implementation of the OTP technology among the synchronous options (with less risk of desynchronization). The one-time password generation algorithm implemented in the eToken NG-OTP key was developed as part of the OATH initiative (it is based on HMAC technology). Its essence lies in the calculation of the HMAC-SHA-1 value and then in the operation of truncating (selecting) six digits from the resulting 160-bit value. They serve as the same one-time password.

An interesting feature of the eToken NG-OTP combined key is the ability to use one-time passwords even without connecting the key to a computer. The OTP generation process can be started by pressing a special button located on the device body (Fig. 5), and its result in this case will be displayed on the built-in LCD display. This approach makes it possible to use OTP technology even on devices that do not have USB ports (smartphones, PDAs, cell phones, etc.) and on computers where they are blocked.

The most reliable is the mixed mode of operation of the considered key. To use it, the device must be connected to a PC. Here we are talking about two-factor authentication, which is implemented in several ways. In one case, to gain access to the network, it is necessary to use the user's own password to enter it, as well as the OTP value. The other option requires a one-time password and an OTP PIN value (displayed on the key screen).

Naturally, the eToken NG-OTP key can work as a standard USB token - for user authentication using digital certificates and PKI technology, for storing personal keys, etc. Thus, the product in question can be used in a wide range of projects related to the need for secure remote access and two-factor authentication. The use of such hybrid keys on an enterprise scale allows users to work with their keys both in the office and outside it. This approach reduces the cost of creating an information security system without reducing its reliability.

Summing up

So, the concept of OTP one-time passwords, coupled with modern cryptographic methods, can be used to implement reliable remote authentication systems. This technology has a number of significant advantages. First, it is reliability. Today, there are not so many ways to really "strong" user authentication when transmitting information over open communication channels. Meanwhile, this problem is becoming more and more common. And one-time passwords are one of its most promising solutions.

The second advantage of one-time passwords is the use of "standard" cryptographic algorithms. This means that existing developments are well suited to implement an authentication system using OTP. As a matter of fact, this clearly proves the same eToken NG-OTP key, which is compatible with domestic crypto providers. Such tokens can be used in existing corporate security systems without restructuring them. As a result, one-time password technology can be implemented at relatively low cost.

Another plus of one-time passwords is that protection is weakly dependent on the human factor. True, this does not apply to all its implementations. As we have said, the reliability of many one-time password programs depends on the quality of the PIN used. Hardware generators based on USB tokens use full-fledged two-factor authentication. And finally, the fourth advantage of the OTP concept is its convenience for users. Getting access to the necessary information using one-time passwords is no more difficult than using static keywords for this purpose. It is especially pleasant that some hardware implementations of the considered technology can be used on any device, regardless of the ports existing on it and the installed software.

One Time Password(one time password, OTP) is a password valid for one session only. The validity of a one-time password can also be limited to a certain period of time. The advantage of a one-time password over a static one is that the password cannot be reused. Thus, an attacker who has intercepted data from a successful authentication session cannot use the copied password to gain access to the protected information system. The use of one-time passwords does not in itself protect against attacks based on active interference with the communication channel used for authentication (for example, against man-in-the-middle attacks).

To create one-time passwords, a one-time password generator is used, which is available only to this user. One-time passwords are usually presented as a set of numbers and are used to access systems remote service. This, internal Information Systems organizations.

In the banking industry, the most common way to provide a one-time password is an SMS message that the bank sends to a client who spends in the Internet banking system.

In addition, one-time passwords can be issued by the bank on the so-called scratch card - plastic card, on which passwords are hidden behind an erasable cover. In this case, the client, having received an instruction from the Internet banking system to enter a one-time password (with a specific serial number), erases the cover next to the desired number on the card and enters the code into the system.

It is practiced, but over time, the method of issuing a list of one-time passwords in - on the check loses its relevance. Like passwords on a scratch card, they have sequential numbers and are entered at the direction of the Internet banking system.

Fighting fraud, banks are increasingly using one-time passwords not only to confirm financial transactions, but also for the initial entry into the Internet banking system.

Some Internet banking systems offer an electronic generator of one-time codes.

OTP generation algorithms usually use random numbers. This is necessary because otherwise it would be easy to predict subsequent passwords based on knowledge of previous ones. Specific OTP algorithms vary greatly in detail. Various approaches to creating one-time passwords are listed below.

1. Using mathematical algorithms to create a new password based on the previous ones (passwords actually form a chain, and must be used in a certain order).
2. Based on time synchronization between server and client providing a password (passwords are valid for a short period of time).
3. Using a mathematical algorithm, where the new password is based on a request (for example, a random number chosen by the server or parts of an incoming message) and/or a counter.