Why "CA Mobile OTP" Android App Generates Code with Incorrect PIN?

Document ID : KB000117447
Last Modified Date : 12/10/2018
Show Technical Document Details
Question:
I am using "CA Mobile OTP" in Android App. The code is generated even though I entered the PIN incorrectly in the "CA Mobile OTP" App after creating the account. Of course, the code will fail to login. For this reason, it is not possible to determine whether the reason for the login failure is failure due to failed account linking after the account is created, or if the PIN is incorrect. Why "CA Mobile OTP" Android App Generates Code with Incorrect PIN?
Answer:
CA Arcot’s patented “Cryptographic Camouflage” technology is used to protect Digital IDs(private key) stored in the user devices. It resists offline brute-force attacks by hiding the private key from would-be attackers. The effect of this process is that decryption, even using an incorrect password, will always produce a result that meets the specific, particular and well documented characteristics of a private key. So in the case of a simple 6-digit password, the brute force attack will produce approximately 56.8 billion plausible, but invalid private keys. Keys produced as result of using an invalid password meet all the characteristics of a valid key, so they can be functionally used for creating OTP. This prevents hackers from attempting offline attacks on the CA Mobile OTP Account as they cannot know if they have discovered the right password without validating the result online. After a few failed attempts, the users account can be locked out, foiling any attempts to “crack” the CA Mobile OTP Account(key). 

PATENT INFORMATION:
OTP generation using a camouflaged key
https://patents.google.com/patent/US8850218