Skip to main content

Who invented the otpauth:// URI scheme? [Resolved]

It seems really simple, but who invented the commonly-used otpauth:// scheme (used by Google Authenticator and other TOTP soft tokens by scanning QR codes)? When?

Asked March 20, 2017
Tags: history
Posted Under: Programming
1 Answers

"Let's get into the Wayback machine, Sherman."

otpauth:// starts with Google as nearly as I can find, in, dated Mar 25, 2010. But the initial commit says it was to 'Import BlackBerry source code and project files.' So it came before...

The formal root of all this is RFC-2289 "A One-Time Password System" that was pulled together by the Network Working Group by Haller (Bellcore), Metz (Kaman Sciences Corporation), Nesser (Nesser & Nesser Consulting) and Straw (Bellcore), copyrighted in February 1998 by 'The Internet Society'). (

In this document, Haller's paper is referenced "The S/KEY One-Time Password System" in the Proceedings of the ISOC Symposium on Network and Distributed System Security, in February 1994. (

This document references the UNIX skey command, "S/key -- a procedure to use one time passwords for accessing computer systems" by Karn, Haller, Walden, and Chasin, with the earliest online generation found in October 1993. (

Phil Karn worked at Bell Labs and BellCore, and wrote most of the skey unix software. He since has been working on many Internet systems with security concerns, and is now at Qualcomm. Neil Haller worked at Bell Labs and BellCore and carried the skey flag forward. Haller was born in 1937 and passed in 2011. John Walden created the first MS-DOS CLient version of skey. Scott Chasin was at Bellcore in 1993 and contributed to skey. He has since gone on to head several companies some more and some less connected to computer security.

Skey was based on original work by Leslie Lamport, an ACM Turing Award recipient, who developed a method for creating digital signatures ("Constructing digital signatures from a one way function." Technical Report SRI-CSL-98, SRI International Computer Science Laboratory in October 1979 and , "Password Authentication with Insecure Communication", Communications of the ACM 24.11 in November 1981.) As a sidenote, where quantum communications looks to be able to hack passwords, Lamport signatures may not be breakable under sufficient conditions. ( and

Skey has fallen from prominence as schemes that feature two-factor authentication are becoming adopted. But it is the realization of Lamport's one-time-password authentication by the gang of scientists at Bell Labs.

We all stand on the shoulders of giants.

Answered March 20, 2017
Marvelous investigation, thank you. – johnwbyrd 2 hours ago
 CanDoerz  2 days ago
That's some fantastic research. Thank you. – Jacob Krall Nov 28 '16 at 15:37
 CanDoerz  2 days ago
Your Answer