RFC 2289 · INTERNET STANDARD · 1998
SUN · 14 JUN 2026
A One-Time Password System
Overview
RFC 2289, “A One-Time Password System”, is an Internet Standard document published in February 1998 by N. Haller, C. Metz, P. Nesser, M. Straw. It obsoletes RFC 1938. The canonical text is published by the RFC Editor.
Abstract
This document describes a one-time password authentication system (OTP). The system provides authentication for system access (login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. [STANDARDS-TRACK]
What “Internet Standard” means
A mature, widely-implemented specification that has completed the full IETF standards process — the highest maturity level on the standards track.
Read this RFC
The canonical text of RFC 2289 is hosted at rfc-editor.org. Available in TXT,HTML.
Relationships to other RFCs
Other RFCs from 1998
- RFC 2288 Using Existing Bibliographic Identifiers as Uniform Resource Names
- RFC 2290 Mobile-IPv4 Configuration Option for PPP IPCP
- RFC 2287 Definitions of System-Level Managed Objects for Applications
- RFC 2291 Requirements for a Distributed Authoring and Versioning Protocol for the World Wide Web
- RFC 2286 Test Cases for HMAC-RIPEMD160 and HMAC-RIPEMD128
- RFC 2292 Advanced Sockets API for IPv6
- RFC 2285 Benchmarking Terminology for LAN Switching Devices
- RFC 2293 Representing Tables and Subtrees in the X.500 Directory