SMS based one-time-passwords (OTP) provide an inexpensive, easy to use 2-factor authentication scheme. OTP's are generated and delivered to the user's cell phone. The user then enters the OTP to complete authentication. The IIS-OTP system can be configured as a convenient retrofit to several existing authentication systems, most notably forms-based and AD based. Where there is existing AD infrastructure, IIS-OTP can be configured without the need of an additional database. The necessary data is stored within unused areas of Active Directory refenced by the user's username.

1. No Database:The customer is keeping username/password and sms-email address in their own database, possibly SQL. IIS-OTP is used to generate, send and verify OTP's only.
2. Active Directory Mode:The customer is doing verification via a Window's method against AD. stores and accesses sms-email address data in AD, without any additional data base functionality.IIS-OTP generates, sends and verifies OTP's.
3. Username/sms-address mode:The customer is using another method for username/password verification, possibly SQL or Radius. IIS-OTP is keeping sms-email address data by Username only. IIS-OTP generates, sends and verifies OTP's.
4. Username/password/sms-address mode:Usernames and passwords are kept in IIS-OTP's internal high speed database for authentication. sms-address data is also stored so otp's are automatically generated and sent.

Note that IIS-OTP has all the asp/dotnet compatible objects necessary for the user to determine and enter his sms-address data into the appropriate database. See the IIS-OTP technical page for details.

2-factor authentication has proven to be very effective is securing web content. Most of what is available today are external devices that generate an OTP for verification on a proprietary server. Though effective, there is a substantial cost associated with the implimenation of this scheme. Further, the user must learn to use and keep up with a new piece of hardware. 

An SMS based scheme offers several advantages. Most importantly, it requires no additional devices. Users already have cell phones. Further, they are familiar with the security mechanisms to prevent unauthorized use. This means the system requires NO ADDITIONAL HARDWARE to impliment. 

From the user's point of view, authentication occurs as follows: