One-time authorization code

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
MasterCard SecureCode uses OTAC to confirm a user's identity
One time authorization code as used in Yammer's desktop client


In a broad sense, a one time authorization code (OTAC) means a code that is valid to authenticate a user`s identity for only one session. It is not only used in mechanisms to identify a user’s identity in daily life, but also used in the field of computer technology, a desktop client for a web application might use an OTAC to securely authenticate with the web application.


Passwords that are continuously used in daily life or stored on the computer can easily be deciphered and compromised. The use of an OTAC removes the need for remembering/storing/caching the user's actual passwords.

This method of authenticating has two benefits:

  1. The user's actual username/password is never transmitted over the network;
  2. The user never has to remember/cache/store the username/passwords.


Mobile Phone[edit]

A mobile phone itself can be a hand-held authentication token[1]. Mobile text messaging is the one of the ways of receiving an OTAC through a mobile phone. In this way, a service provider sends a text message that includes an OTAC enciphered by a digital certificate to a user for authentication. According to a report, mobile text messaging provides high security when it uses public key infrastructure (PKI) to provide bidirectional authentication and non-repudiation, in accordance with theoretical analysis.[2]

Mobile text messaging as a method of receiving OTACs is broadly used in our daily lives for purposes such as banking, credit/debit cards, and security.[3][4][5]


There are two methods of using a telephone to verify a user’s authentication.

With the first method, a service provider shows an OTAC on the computer or smart phone screen and then makes an automatic telephone call to a number which has already been authenticated. Then the user enters the OTAC that appears on their screen into the telephone keypad.[6]

With the second method, which is used to authenticate and activate Microsoft Programmes, the user call a number which is provided by the service provider and enters the OTAC that the phone system gives the user.[7]


In the field of computer technology, it is known that using one time authorization code (OTAC) through email, in a broad sense, and using one time authorization code (OTAC) through web-application, in a professional sense.


An email is one of the common ways of using OTACs, there are two main methods used.

With the first method, a service provider sends a personalised one time URL link to an authenticated email address e.g., when the user clicks the URL link the server authenticates the user.[8]

With the second method, a service provider sends a personalised OTAC (e.g. an Enciphered token) to an authenticated email address, when the user types the OTAC into the website the server authenticates the user.


The web application generates a unique code (pin) that the user can input into the desktop client, the desktop client in turn uses that code to authenticate itself to the web application.

This form of authentication is particularly useful in web applications that do not have an internal username/password store but instead use SAML for authentication. Since SAML only works within the browser, a desktop based web application client cannot successfully authenticate using SAML. Instead, the client application, can use the one time authorization code (OTAC) to authenticate itself to the web application.

In addition, it is possible to use the OAuth 2.0 authorization framework when a third party application needs to obtain limited access to an HTTP service.[9]


It is possible to send OTACs to a user via post or registered mail. When a user requests an OTAC, the service provider sends it via post or registered mail and then the user can use it for authentication. For example, in the UK, some banks send their OTAC for Internet banking authorization via post or registered mail.[10]


Quantum cryptography, which is based on the uncertainty principle is one of the ideal methods to produce an OTAC.[11]

Moreover, it has been discussed and used not only using an enciphered code for authentication but also using Graphical one time PIN authentication[12] such as QR code which provides decentralized access control technique with anonymous authentication.[13][14]

See also[edit]

Web Applications that utilize One Time Authorization Codes[edit]

  • Yammer
  • Facebook Windows 7 Gadget


  1. ^ Wu, M., Garfinkel, S. and Miller, R. (2004). Secure web authentication with mobile phones. pp.9--10.
  2. ^ Shu, M., Tan, C. and Wang, H. (2009). Mobile authentication scheme using SMS. Services Science, Management and Engineering, 2009. SSME '09. IITA International Conference on, pp.161 - 164.
  3. ^, (n.d.). Axis Bank Mobile Application Registration. [online] Available at: [Accessed 28 Oct. 2014].
  4. ^ Master Card Secure Code. (n.d.). [online] Available at:'s/What%20is%20MasterCard%20SecureCode.pdf [Accessed 28 Oct. 2014].
  5. ^ Inc., S. (n.d.). SMS Authentication: SafeNet Authentication Services. [online] Available at: [Accessed 28 Oct. 2014].
  6. ^, (n.d.). Lloyds Bank Online Authentication Procedure. [online] Available at: [Accessed 28 Oct. 2014].
  7. ^, (n.d.). Activate Windows 7. [online] Available at: [Accessed 28 Oct. 2014].
  8. ^ Adida, B. (2008). EmID: Web authentication by email address.
  9. ^ Hardt, D. (2012). The OAuth 2.0 authorization framework.
  10. ^, (n.d.). Lloyds Bank - Internet Banking - How to Register for Online Banking. [online] Available at: [Accessed 28 Oct. 2014].
  11. ^ Sobota,, M., Kapczy_ski, A. and Banasik, A. (2011). Application of Quantum Cryptography Protocols in Authentication Process. Intelligent Data Acquisition and Advanced Computing Systems (IDAACS), 2011 IEEE 6th International Conference on, 2, pp.799 - 802.
  12. ^ Jhawar, R., Inglesant, P., Courtois, N. and Sasse, M. (2011). Make mine a quadruple: Strengthening the security of graphical one-time pin authentication. pp.81--88.
  13. ^ Liao, K. and Lee, W. (2010). A novel user authentication scheme based on QR-code. Journal of Networks, 5(8), pp.937--941.
  14. ^ Vijayalakshmi, A. and Arunapriya, R. (2014). AUTHENTICATION OF DATA STORAGE USING DECENTRALIZED ACCESS CONTROL IN CLOUDS. Journal of Global Research in Computer Science, 5(9), pp.1--4.