One-time authorization code

From Wikipedia, the free encyclopedia
Jump to: navigation, search
MasterCard SecureCode uses OTAC to confirm a user's identity
One time authorization code as used in the yammer's desktop client


In a broad sense, one time authorization code (OTAC) means a code that valid for only one session to authenticate a user`s identity. It is not only used in mechanisms to identify a user’s identity in daily life, but also used in processes that allows desktop client for web application to securely authenticate to the web application in the field of computer technology.


Passwords that continuously used in daily life or stored on the desktop can easily be deciphered and compromised. Use of one time authorization code (OTAC) removes the need for remembering/storing/caching user's actual passwords.

This method of authenticating have two benefits:

  1. The user's actual username/password are never transmitted over the network;
  2. The user has to never remember/cache/store the username/passwords.


Mobile Phone[edit]

Mobile phone itself can be a hand-held authentication token[1] and mobile text messaging is the one of the ways of using one time authorization code (OTAC) through mobile phone. In this way, a service provider sends a text message that includes one time authorization code (OTAC) which is enciphered by digital certificate to a user for authentication. According to a report, mobile text messaging provides high security when it uses public key infrastructure (PKI) to provide bidirectional authentication and non-repudiation, which accord with theoretical analysis.[2]

Mobile text messaging as a one time authorization code (OTAC) is broadly used in our daily life including the banking service, card service and also security service.[3][4][5]


There are two methods that using the telephone to identify a user’s authentication.

First, a service provider shows a one time authorization code (OTAC) on the computer or smart phone screen and then make an automatic telephone call to a number which has already authenticated. Then a user enter the one time authorization code (OTAC) that appears on their screen into your telephone keypad.[6]

Second, as the way to authenticate and active Microsoft Programmes, user calls to a number which is provided by the service provider and enter the one time authorization code (OTAC) that the phone system gives user.[7]


In the field of computer technology, it is known that using one time authorization code (OTAC) through email, in a broad sense, and using one time authorization code (OTAC) through web-application, in a professional sense.


An email is one of the common ways of using one time authorization code (OTAC) and it divided into two big methods.

First, a service provider send a personalised one time URL link to authenticated email address e.g. and when a user click the URL link, then the server authenticate the user.[8]

Second, a service provider send a personalised one time authorization code (OTAC) e.g. Enciphered token to authenticated email address and when a user types the one time authorization code (OTAC) into website, then the server authenticate the user.


The web application generates a unique code (pin) that the user can input into the desktop client, the desktop client in turn uses that code to authenticate itself to the web application.

This form of authentication is particularly useful in web applications that do not have an internal username/password store but instead use SAML for authentication. Since SAML only works within the browser, a desktop based web application client can not successfully authenticate using SAML. Instead, the client application, can use the one time authorization code (OTAC) to authenticate itself to the web application.

In addition, it is able to use the OAuth 2.0 authorization framework when a third party application needs to obtain limited access to an HTTP service.[9]


It is possible to send one time authorization code (OTAC) to a user via post or a registered mail. When a user request one time authorization code (OTAC), a service provider send it via post or a registered mail and then a user can use it for authentication. For example, in the UK, some banks send their one time authorization code (OTAC) for Internet banking authorization via post or a registered mail.[10]


Quantum cryptography which based on uncertainty principle is one of the ideal methods to produce one time authorization code (OTAC).[11]

Moreover, it has been discussed and used not only using an enciphered code for authentication but also using Graphical one time PIN authentication[12] such as QR code which provides decentralized access control technique with anonymous authentication.[13][14]

See also[edit]

Web Applications that utilize One Time Authorization Codes[edit]

  • Yammer
  • Facebook Windows 7 Gadget


  1. ^ Wu, M., Garfinkel, S. and Miller, R. (2004). Secure web authentication with mobile phones. pp.9--10.
  2. ^ Shu, M., Tan, C. and Wang, H. (2009). Mobile authentication scheme using SMS. Services Science, Management and Engineering, 2009. SSME '09. IITA International Conference on, pp.161 - 164.
  3. ^, (n.d.). Axis Bank Mobile Application Registration. [online] Available at: [Accessed 28 Oct. 2014].
  4. ^ Master Card Secure Code. (n.d.). [online] Available at:'s/What%20is%20MasterCard%20SecureCode.pdf [Accessed 28 Oct. 2014].
  5. ^ Inc., S. (n.d.). SMS Authentication: SafeNet Authentication Services. [online] Available at: [Accessed 28 Oct. 2014].
  6. ^, (n.d.). Lloyds Bank Online Authentication Procedure. [online] Available at: [Accessed 28 Oct. 2014].
  7. ^, (n.d.). Activate Windows 7. [online] Available at: [Accessed 28 Oct. 2014].
  8. ^ Adida, B. (2008). EmID: Web authentication by email address.
  9. ^ Hardt, D. (2012). The OAuth 2.0 authorization framework.
  10. ^, (n.d.). Lloyds Bank - Internet Banking - How to Register for Online Banking. [online] Available at: [Accessed 28 Oct. 2014].
  11. ^ Sobota,, M., Kapczy_ski, A. and Banasik, A. (2011). Application of Quantum Cryptography Protocols in Authentication Process. Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2011 IEEE 6th International Conference on, 2, pp.799 - 802.
  12. ^ Jhawar, R., Inglesant, P., Courtois, N. and Sasse, M. (2011). Make mine a quadruple: Strengthening the security of graphical one-time pin authentication. pp.81--88.
  13. ^ Liao, K. and Lee, W. (2010). A novel user authentication scheme based on QR-code. Journal of Networks, 5(8), pp.937--941.
  14. ^ Vijayalakshmi, A. and Arunapriya, R. (2014). AUTHENTICATION OF DATA STORAGE USING DECENTRALIZED ACCESS CONTROL IN CLOUDS. Journal of Global Research in Computer Science, 5(9), pp.1--4.