I recently came across references to OATH standards, specifically OCRA and EVV. I realized that I had heard about them in passing, but had never dug deeper. We are currently developing an internal transaction confirmation system and want to make everything as reliable as possible. I have read about OTP, everything seems clear, but OCRA - for challenge-response - sounds interesting, but there is almost no information. Maybe someone has already implemented something like this or has at least looked into it?
top of page
bottom of page
It is interesting to read such discussions - I never thought before that there are so many varieties of disposable codes. Usually everyone is limited to TOTP, maximum HOTP, but here is a whole world of standards. Thanks for the topic, I've taken a note of it, maybe it will come in handy someday.
I encountered this when I had to provide confirmation of operations with specific parameters for a fintech project, and that's when I started studying OCRA. OATH standards are not the easiest to understand, especially if you go straight into the specifications. It is better to start with practical examples. I used hotp generator for tests, it helps not only with HOTP/TOTP, but also gives a general idea of the logic of code generation. Even if you want to move to more complex protocols like OCRA, you should still understand the basic mechanisms first. As for information, you can look at official RFCs and search for articles in English at the same time, there are a bit more of them.