In this paper we describe a service that allows users one-time password access
to any web account, without any change to the server, without changing anything on the
client, and without storing user credentials in-the-cloud. The user pre-encrypts his password
using an assigned set of keys and these encryptions are sent as one-time passwords to his
cell phone or carried. To login he merely enters one of the encryptions as prompted, and
the URRSA service decrypts before forwarding to the login server. Since credentials are
not stored (the service merely decrypts and forwards) it has no need to authenticate users.
Thus, while the user must trust the service, there are no additional passwords or secrets to
remember. Since our system requires no server changes it can be used on a trust-appropriate
basis: the user can login normally from trusted machines, but when roaming use one-time
passwords. No installation of any software or alteration of any settings is required at the
untrusted machine: the user merely requires access to a browser address bar.