This document describes an algorithm to generate one-time password
values, based on Hashed Message Authentication Code (HMAC). A security
analysis of the algorithm is presented, and important parameters
related to the secure deployment of the algorithm are discussed. The
proposed algorithm can be used across a wide range of network
applications ranging from remote Virtual Private Network (VPN) access,
Wi-Fi network logon to transaction-oriented Web applications. This
work is a joint effort by the OATH (Open AuTHentication) membership to
specify an algorithm that can be freely distributed to the technical
community. The authors believe that a common and shared algorithm will
facilitate adoption of two-factor authentication on the Internet by
enabling interoperability across commercial and open-source
implementations. This memo provides information for the Internet
community.