How does password-append OTP validation work?

Question

Recently when I was changing some Amazon account settings, I've noticed that they provide an option to validate the OTP by appending it to the password. How would this work, if the password is one-way hashed?

score 3 · Accepted Answer · answered Jan 20 '20 at 18:42

3

The password is not hashed in the application but in the server. The server gets the password+OTP token in clear (protected with HTTPS between client and server) and can extract both password and OTP token from this, then proceed with normal password verification.

answered Jan 20 '20 at 18:42

Steffen Ullrich

201,479
30
402
465

What if one's password ends in six digits - would it mean that the Amazon service would need to do two-path validation, first through the entire string, and second time with the OTP separated? – Den Jan 20 '20 at 18:51
2

@DenDelimarsky: Either the server knows that OTP is expected at the end or it can simply try both variants. – Steffen Ullrich Jan 20 '20 at 20:21
1

@DenDelimarsky See also the answer to Why can I log in to my Facebook account with a misspelled email/password?, where FB may hash several commonly-mis-typed variants of the password you supplied (e.g. if oOPScAPSlOCKiSoN fails, it may try OopsCapsLockIsOn). – TripeHound Jan 21 '20 at 12:10

score 1 · Answer 2 · answered Jan 20 '20 at 18:43

1

Because it is stored as a one-way hash - since Amazon know how long the OTP part, is they trim that off what you typed before generating the hashed version to compare with what they have stored.

answered Jan 20 '20 at 18:43

symcbean

18,625
1
41
75

How does password-append OTP validation work?

2 Answers2

Linked