TABLE OF CONTENTS

CONTENTS : page no

1. Abstract 2

2. Introduction 3-5

3. Literature Survey 6-7

4. Requirement Specification 8

5. Design of the program 9-10

 Flow chart

 DO’s and DON’Ts

6. Implementation steps 11-16

 Installation process

 Input

 Output

7. Result 17

8. Conclusion 18

1
 ABSTRACT

 Security is one of the most crucial parts of our lives. The importance of security is
increasing day by day as most things are going online.
 One time password (OTP) is a password that that is valid for only one login session or
transaction in a computer or a digital device
 Now a days OTP’s are used in almost every service like internet banking, online
transactions, etc.
 They are generally combination of 4 or 5 numeric digits or 6-digit alphanumeric.
 Random() function can be used to generate random OTP which is predefined in
random library.

 USED FUNCTIONS:
random.random(): This function returns any random number between 0 to 1.

Math.floor(): It returns floor of any floating number to a integer value. Using the
above function pick random index of string array which contains all the possible
candidates of a particular digit of the OTP.

2
 CHAPTER : 01
INTRODUCTION
The OTP prevents some forms of identity theft by making sure that a captured user
name/password pair cannot be used a second time.

Typically the user's login name stays the same, and the one-time password changes with each
login.

Authentication answers the question: "Are you indeed Mr or Mrs X?"

Today most enterprise networks, e-commerce sites, and online communities require only a
user name and static password for login and access to personal and sensitive data.

How are one-time passwords created?

One-time passwords can be generated in several ways, and each one has trade-offs in terms of
security, convenience, cost, and accuracy.

 Grid cards

Simple methods such as transaction number lists and grid cards can provide a set of one-time
passwords.

These methods offer low investment costs but are slow, difficult to maintain, easy to replicate
and share, and require the users to keep track of where they are in the list of passwords.

Security tokens

A more convenient way for users is to use an OTP token, a hardware device capable of
generating one-time passwords.
There's more.

Some of these devices are PIN-protected, offering an additional level of security.

The user enters the one-time password with other identity credentials (typically user name
and password), and an authentication server validates the logon request.

Although this is a proven solution for enterprise applications, the deployment cost can make
the solution expensive for consumer applications.

Because the token must be using the same method as the server, a separate token is required
for each server logon, so users need a different token for each Web site or network they use.

3
Smart cards and OTP

More advanced hardware tokens use microprocessor-based smart cards to calculate one-time
passwords.

Smart cards have several advantages for strong authentication, including data storage
capacity, processing power, portability, and ease of use.
They are inherently more secure than other OTP tokens because they generate a unique, non-
reusable password for each authentication event, store personal data, and do not transmit
confidential or private data over the network.

Display payment cards can even integrate an OTP generator for 2-factor authentication.

Public Key Infrastructure for OTP strong authentication

Smart cards can also include additional strong authentication capabilities such as PKI or
Public Key Infrastructure certificates.
When used for PKI applications, the smart card device can provide core PKI services,
including encryption, digital signature, and private key generation and storage.

Thales smart cards support OTP strong authentication in both Java and Microsoft .NET
environments.

Multiple form factors and connectivity options are available so that end-users have the most
appropriate device for their network access requirements.

All Thales OTP devices work with the same Strong Authentication Server and are supported
with a standard set of administrative tools.

Single-factor authentication (SFA)

Single-factor authentication is the traditional security process that requires a user name and
password before granting access to the user.

A single compromised password was enough to take down the largest US fuel
pipeline.
In May 2021, a raid by the ransomware group Darkside forced the shutdown of Colonial
Pipeline's network. This attack, which created shortages, pushed up gas prices and led to a
wave of panic-buying, put a spotlight on weak password protection and ransomware's
potential to disable critical infrastructure.
Bloomberg (4 June 2021) reported that the company's system was breached through a single
leak password to an old VPN account used to remotely access the company's servers. The
account did not use multifactor authentication. Hackers breached Colonial's network using
just one compromised username and password. According to Bloomberg, the user may have
used the same password for different accounts, but it would be hard for Obtained.

4
 Two-factor authentication (2FA)

Stronger authentication can also be implemented with two-factor authentication (2FA) or

multiple-factor authentication. The user provides two (or more) different authentication
factors in these cases.
Below is another example of 2 factor-authentication in banking.

OTP SMS is a standard second-factor authentication method for banks.

At the ATM, you will need your card (something you have) AND a PIN code (something you
know).

In Singapore, Singpass uses Two-Factor Authentication (2FA) and end-to-end encryption of

passwords to access the country's eGovernment services securely.

SMS OTP deprecated

The National Institute of Standards and Technology (NIST, US Department of Commerce)

deprecated the use of SMS for 2FA as early as 2016.
The reason?

This authentication method shows vulnerabilities that could compromise passwords and
codes.

In addition, the European Union Agency for Cybersecurity (ENISA) called for not using
SMS-based one-time passwords.

As a result, businesses and public organizations should consider other ways to deliver codes
than SMS.

OTP markets and key industry players

The OTP segment is part of a more global two-factor authentication market evaluated at
$3,5B in 2018. It will reach $8,9B by 2024, as revealed by a Market Research future study.
The OTP market is estimated at $1,5B in 2018 and will reach $3,2B by 2024.

The two-factor authentication market's major players include Thales, Fujitsu, Suprema,
OneSpan, NEC, Symantec, RSA, IDEMIA, HID, Entrust, and Google, to name a few.

The hardware OTP token authentication business is a small part of the OTP market.

However, according to Research and Markets, its worldwide size is expected to reach $403m
by 2025.

Primary customers are enterprises, banking, finance, insurance and securities, government,
healthcare, and gaming.

5
Geeks for geeks :

 https://www.geeksforgeeks.org/python-program-to-generate-one-time-password-otp/

youtube link :

 https://youtu.be/6UM4EZTLmPk

AUTHOR NAME : larry l. Peterson and bruce s.davis

YEAR : 2016 TITLE : A computer networks a system approach

WORKDONE: There has been an enormous body of work done in the related areas of
signal processing and information theory, studying everything from how signals
degrade over distance to how much data a given signal can effec-tively carry.

The most notable piece of work in this area is a formula known as the Shannon-Hartley
theorem.2Simply stated, this theorem gives an upper bound to the capacity of a link, in
terms of bits per second (bps);

as a func-tion of the signal-to-noise ratio of the link, measured in decibels (dB); and the
bandwidth of the channel, measured in Hertz (Hz). (As noted previously, bandwidth is a bit
of an overloaded term in communications;

here we use it to refer to the range of frequencies available for communication.)

As an example, we can apply the Shannon-Hartley theorem to determine the rate at which
a dial-up modem can be expected to transmit binary data over a voice-grade phone line
without suffering from too high an error rate. A standard voice-grade phone line typically
supports a frequency range of 300 Hz to 3300 Hz, a channel bandwidth of 3 kHz.The
theorem is typically given by the following formula:

C = B log2

(1 + S/N)

where C is the achievable channel capacity measured in bits per second, B is the bandwidth
of the channel in Hz (3300 Hz − 300 Hz = 3000 Hz), S is the average signal power, and N is
the average noise power. The signal-to-noise ratio (S/N, or SNR) is usually expressed in
decibels, related as follows:

SNR = 10 × log10(S/N)

6
Thus, a typical signal-to-noise ratio of 30 dB would imply that S/N = 1000. Thus, we have

C = 3000 × log2 (1001)

which equals approximately 30 kbps.

When dial-up modems were the main way to connect to the Internet in the 1990s, 56 kbps
was a common advertised capacity for a modem (and continues to be about the upper limit
for dial-up).

However, the modems often achieved lower speeds in practice, because they didn’t always
encounter a signal-to-noise ratio high enough to achieve 56 kbps. The ShannonHartley
theorem is equally applicable to all sorts of links ranging from wireless to coaxial cable to
optical fiber.

7
 REQUIREMENT SPECIFICATION

In OTP-based authentication methods, the user's OTP app and the authentication
server rely on shared secrets.

Values for one-time passwords are generated using the Hashed Message Authentication
Code (HMAC) algorithm and a moving factor, such as time-based information (TOTP) or
an event counter (HOTP).

The OTP values have minute or second timestamps for greater security. The one-time
password can be delivered to a user through several channels, including an SMS-based
text message, an email or a dedicated application on the endpoint.

Security professionals have long been concerned that SMS message spoofing and man-
in-the-middle (MITM) attacks can be used to break 2FA systems that rely on one-time
passwords. However, the U.S. National Institute of Standards and Technology (NIST)
announced plans to deprecate the use of SMS for 2FA and one-time passwords, as the
method is vulnerable to an assortment of attacks that could compromise those
passwords and codes. As a result, enterprises considering deployment of one-time
passwords should explore other delivery methods besides SMS.

Benefits of a one-time password

The one-time password avoids common pitfalls that IT administrators and security
managers face with password security. They do not have to worry about composition
rules, known-bad and weak passwords, sharing of credentials or reuse of the same
password on multiple accounts and systems.

Another advantage of one-time passwords is that they become invalid in minutes, which
prevents attackers from obtaining the secret codes and reusing them.

CHAPTER : 04

DESIGNING OF THE PROGRAMME

 FLOW CHART

8
 CHAPTER : 04

DESIGNING OF THE PROGRAMME

 FLOW CHART

9
 How does OTP SMS Authentication work?
One Time Password tokens can be generated at various instances, for example,

 Verify Login
 Verify Mobile Number
 Verify Payment Transaction
 Verify Member Registration on Site/App

DO’S

Do Share OTP’s only for your related works

NEVER share your OTP with anyone. Not even over a phone call, SMS, WhatsApp, email or
on any other platform.

Think twice before you install apps on your device. Look carefully at the permissions the app
asks for. Ask yourself—Am I sure I want to allow access to my personal data to a third party?

Never download apps from third party websites or app stores. At all costs, avoid pirated apps
as they always mask an ulterior motive.

Use app lockers to lock your apps which access your personal information with a password or
fingerprint security.The important ones are SMS, Email and Phone Settings. This will prevent
someone from gaining physical access to your OTP.

In Notifications settings, enable ‘Hide Sensitive Content’ to hide message contents on the
phone’s lock screen. Otherwise, if your phone is lost or stolen, anyone who finds it can use
your account to do transactions even when your phone is locked.

Be cautious while installing apps that ask permission to read your messages. This will enable
the app developer to read your personal messages, including your OTPs and transaction
details. If your phone OS supports it, disable SMS-reading permissions for all apps that don’t
send it. If a puzzle game wants to read your SMS, it is a clear sign that something is fishy.

Always be on guard against phishing scams. Remember, your security is in your own hands.
Trust your gut and keep yourself sec

10
 CHAPTER : 05

IMPLEMENTATION STEP

 Install Python for Windows :

Python is a widely used high-level programming language. To write and execute

code in python, we first need to install Python on our system.

 Installing Python on Windows takes a series of few easy steps.

Step 1 − Select Version of Python to Install

Python has various versions available with differences between the syntax and
working of different versions of the language. We need to choose the version
which we want to use or need. There are different versions of Python 2 and
Python 3 available.

Step 2 − Download Python Executable Installer

On the web browser, in the official site of python (www.python.org), move to the
Download for Windows section.

All the available versions of Python will be listed. Select the version required by
you and click on Download. Let suppose, we chose the Python 3.9.1 version. The
download size is less than 30MB.

11
On clicking download, various available executable installers shall be visible with different
operating system specifications. Choose the installer which suits your system operating
system and download the instlaller. Let suppose, we select the Windows installer(64 bits).

The download size is less than 30MB.

Step 3 − Run Executable Installer

We downloaded the Python 3.9.1 Windows 64 bit installer.

Run the installer. Make sure to select both the checkboxes at the bottom and then click
Install New.

12
On clicking the Install now, The installation process starts.

The installation process will take few minutes to complete and once the installation is
successful, the following screen is displayed.

Step 4 − Verify Python is installed on Windows

To ensure if Python is succesfully installed on your system. Follow the given steps

13
  Open the command prompt.
 Type ‘python’ and press enter.
 The version of the python which you have installed will be displayed if the python is
successfully installed on your windows.

Step 5 − Verify Pip was installed

Pip is a powerful package management system for Python software packages. Thus, make
sure that you have it installed.

To verify if pip was installed, follow the given steps –

 Open the command prompt.

 Enter pip –V to check if pip was installed.
 The following output appears if pip is installed successfully.

We have successfully installed python and pip on our Windows system.

 Then open the software

 With your PowerShell command line open, enter python to run the Python 3
interpreter. (Some instructions prefer to use the command py or python3, these
should also work). You will know that you're successful because a >>> prompt with
three greater-than symbols will display.
 Start the entering of code ,

14
Generating alphanumeric OTP of length 6

 Then finally run the program by clicking run button.

 We get the current required output

15
IMPLEMENTATION PROCESS

INPUT

# import library
import math, random

# function to generate OTP

def generateOTP() :

# Declare a string variable

# which stores all string
string =
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
OTP = ""
length = len(string)
for i in range(6) :
OTP += string[math.floor(random.random() * length)]

return OTP

# Driver code
if __name__ == "__main__" :

print("OTP of length 6:", generateOTP())

OUTPUT

16
 CHAPTER : 06

RESULT

And the finally OTP is generated for the above code which will have time
limit to enter it

17
 CHAPTER : 07

CONCLUSION

The one-time password avoids common pitfalls that IT administrators and

security managers face with password security. They do not have to worry
about composition rules, known-bad and weak passwords, sharing of
credentials or reuse of the same password on multiple accounts and
systems.

Another advantage of one-time passwords is that they become invalid in

minutes, which prevents attackers from obtaining the secret codes and
reusing them.

18