Imagine you’re trying to log in to your mobile app. You enter your password, but instead of being let in right away, you get a message saying, “Please enter the code we just sent to your phone number.” That code is an example of a One-Time Password, or OTP. It’s like a secret handshake that only you and your mobile app know at that moment, making sure it’s really you trying to access your account. In a world where security is more important than ever, OTPs have become the go-to method for keeping our digital lives safe, one code at a time.
In my bachelor’s thesis, I researched virtual passwords which will generate a random password by taking the user’s initial password as its seed, converting each character into 1-2 random alphanumeric characters, and using the converted password to validate the user’s login password. This converted password will be re-randomised again on each login attempt and thus generates a dynamic password during the login process. While the concepts of my past research are similar, I want to demystify the world’s most popular factor in MFA: OTP. In the process, I also fixed a minor bug in a Python library: PyOTP, which allows users to use a non-proper hashing function that will trigger IndexError on OTP generation.