One Time Password Algorithm for Humans

There are some commercial schemes, e.g. GridGuard from SyferLock that claim to do this, but I have never used them (I have no affiliation). This relies on the user choosing correctly from multiple options during authentication rather than a typical time or counter based OTP (which means no mental arithmetic).

Solitaire (Schneier), is often cited for a human-computable cryptosystem, it would need some adaption for authentication purposes though. A challenge-response authentication with shared key would be practical, but does not fulfill your description of the OTP.

What should work (with the usual caveat) would be an implementation of TOTP (RFC6238) or HOTP (RFC4226), using an alternate HMAC hash such as Blum's HCMU (Human Computable Machine Unbreakable, description here) mentally computable hash (see also the more generalised OCRA (RFC6287).

TOTP/HOTP are basically the (truncated) output of a HMAC using SHA-1, the input being a shared secret and timestamp or counter. You would need to use a strictly alphabetic representation of the input though, as Blum's algorithm applies only to alphabetic input.

Blum also co-authored a paper Towards Human Computable passwords (on ArXiv), though large parts of it are heavily mathematical. It doesn't briefly covers OTP in §7.2.

See also:

  • https://crypto.stackexchange.com/questions/9787/are-there-cryptographic-hash-functions-that-can-be-computed-using-only-paper-and
  • https://crypto.stackexchange.com/questions/844/is-there-a-secure-cryptosystem-that-can-be-performed-mentally

You could have a lookup table that's used like a one time pad.

Each page in the lookup book is a day's worth of OTPs, and you look up the book on the current date/time to get the correct OTP for that moment. This simulates a TOTP. You can trade off between security (how often the TOTP changes) and the thickness of your lookup book.


Steve Gibson put together something called "Perfect Paper Passwords" as sort of a demonstration of how it could be done. https://www.grc.com/ppp has the details. The site has downloadable code that can be used to build upon to make a more sophisticated implementation.

This is not time based, but is simply a sequence of one-time passwords, which can only be used in order. Even if the current password is sniffed, it provides no information about the next one. The number of characters per password and the "alphabet" are adjustable.

enter image description here

Here we see that codes 1A-D have already been used, and the next code to be used is E1 (Tygq).