2FA Guides

OCRA OTP tokens can be used with many system services or integrated into custom applications. We collected some use cases with detailed descriptions on how to setup and use an OTP token with different software products.

How 2FA with OTP works

OTP.to tokens implement an algorithm defined in RFC 6287 by the IETF. This algorithm uses the secret key, counter and a PIN to produce a response from a challenge. The OTP cards use the OCRA-1:HOTP-SHA1-6:C-QN08-PSHA1 cipher suite. On the service side the authentication module has to be configured with the secret key of the card, the expected PIN and a counter window. The authentication module can then generate a random challenge and check if the user has provided the correct response for that challenge. More advanced implementations can use a kill PIN to invalidate user accounts or specific counter windows to lock out cards that have been used in other systems.

OTP parameters

  • Counter Window: The OCRA OTP Card can only be used on a limited set of systems. When the card counter is outside of the defined window of the system, the generated responses are no longer valid.
  • Activation Counter: The authentication service tracks login attempts and limits the access to sensitive data like customer records.
  • Kill PIN: A user enters a different PIN to lock an account on purpose. This may be useful to give away the card and the kill PIN to a malicious third party.

    Window counter and what to do with it

    The service may define a window for the counter that ensures that the OCRA OTP Card has only generated a limited set of (unsuccessful) responses before becoming invalid. With a small window of eg. 5, only 5 login attempts on the service are possible before it is required to reset the counter by an administrator.

    A larger window is suggested when multiple services are used with the same OCRA OTP Card.

    Login Services

    Password logins are prone to be compromised. The OCRA token can secure services by forcing users to use the token for authentication. Many services can be configured to use the OCRA PAM module without additional implementation efforts.


    Use the OCRA token to secure dedicated database users such as the admin@localhost without a password.