no-herd
ulm@gentoo.org
From RFC2289:
One form of attack on networked computing systems is eavesdropping on
network connections to obtain authentication information such as the
login IDs and passwords of legitimate users. Once this information is
captured, it can be used at a later time to gain access to the system.
One-time password systems are designed to counter this type of attack,
called a "replay attack."
The authentication system described in this document uses a secret
pass-phrase to generate a sequence of one-time (single use) passwords.
With this system, the user's secret pass-phrase never needs to cross the
network at any time such as during authentication or during pass-phrase
changes. Thus, it is not vulnerable to replay attacks. Added security
is provided by the property that no secret information need be stored on
any system, including the server being protected.
The OTP system protects against external passive attacks against the
authentication subsystem. It does not prevent a network eavesdropper from
gaining access to private information and does not provide protection
against either "social engineering" or active attacks.