A: The first countermeasure is to use a two-factor approach, i.e. combining the token with a PIN or a password.
If there is a store-replay concern as you mention above, a good countermeasure is to ask for the user to supply an OTP more than one time during a session. The token has a second timer and the validating application can use this counter to calculate the delta between two OTPs during one session. Consider a service where the user uses the token to log in. After a "make a payment" request, the server asks for a second confirmation OTP. The server will then measure the token's reported delta vs. the expected. If they match, the transaction is committed.Statistics: Posted by hrag — Wed May 14, 2008 7:31 pm
]]>