HOTP as auxiliary access

[serrq]

Different to what happens for the TOTP system, HOTP does not need to be connected to the internet and to synchronize with a remote server.

HOTP has a secret code that acts as a seed: through an algorithm this seed generates disposable pins.

UW will simply wait for the user types the valid pin for that step (the step counter isn't shown in UW to avoid correlation problem).

It does't need for any remote synchronization. Completely offline. All happen locally.

Since pin steps are progressive, this method – complementary to the traditional pin system that we already are using – would allow us to leave home with a list of disposable pins to use even in conditions where privacy is not guaranteed.

The user will be able to switch among the two pin systems easily through a toggle placed in UW's numpad.

[Andreisbb]

Why do you need HOTP if you are server ? If attacker has access to your device they can hack it without problem.

[serrq]

You can optionally install the HOTP generator in your smartwatch or another device outside your smartphone, while the app (UW) stores the secret code in a locally protected directory within the device.

There is no server to contact in any part of the configuration or while it runs.

I don’t think it is easy to hack, but in any case this method does not access the same level of power as the master pin.

[serrq]

It is convenient if you are on the train, bus, supermarket and want to access a wallet to do a shopping, aware that some camera installed can see the typed pin.

You leave your home with a list of 20 disposable pins and every time you enter a store to make purchases you type a different one.

Just an idea. Not mandatory.

[Andreisbb]

It's no difference where client is (on smart watch or another device) if attacker has access to phone with unstoppable app (server), there's no need to hack client.