2

Recently when I was changing some Amazon account settings, I've noticed that they provide an option to validate the OTP by appending it to the password. How would this work, if the password is one-way hashed?

A screenshot of the Amazon OTP guidance

Den
  • 205
  • 2
  • 5

2 Answers2

3

The password is not hashed in the application but in the server. The server gets the password+OTP token in clear (protected with HTTPS between client and server) and can extract both password and OTP token from this, then proceed with normal password verification.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
1

Because it is stored as a one-way hash - since Amazon know how long the OTP part, is they trim that off what you typed before generating the hashed version to compare with what they have stored.

symcbean
  • 18,625
  • 1
  • 41
  • 75