Usernames and passwords have long been established as the de facto form of authentication for websites and other systems. They provide a convenient system for authenticating and identifying users. However, they are also highly vulnerable to dictionary attacks, weak passwords, key-loggers etc. Recently, two-factor authentication has been suggested as providing a much stronger approach. In addition to 'Something You Know', such as a password, you also provide 'Something You Have', such as a security token. Verisign and RSA Security offer such products that produce a time-synchronized sequence of digits that change at regular intervals. Systems that incorporate these security token mechanisms, accept the sequence of digits in addition to a password during authentication.
Steve Gibson from GRC recently released a similar system based on passcodes. The Perfect Paper Passwords system produces a set of one-time passcodes. The passcodes are created using a 256-bit Sequence Key passed through a Rijndael/AES Cipher. The passcodes are then grouped into credit card sized passcards across 7 columns and 10 rows. During authentication, the system would prompt the user to enter the passcode at a particular column-row location (e.g. A3, D8 etc.). Since the passcards can be printed on paper it is an inexpensive, simple and highly-effective method of providing two-factor authentication.
The system has been released freely for public use and there are a number of language specific implementations already in place. Based on the sheer number of possible combinations, the PPP system is 16.77 times more secure than the token based systems by Verisign and RSA Security!