Update: I now know the description below to be inaccurate. See the comments section below.

Here is my guess at how the new HSBC SecureKey device works…

Each device has its own method for generating a long sequence of 6-digit numbers (example: divide the previous number by 13, add 5, and swap the second and fourth digits around). That method is known only to the device itself, and HSBC’s central database. That database stores, for each device serial number, (1) how that device’s sequence is generated, and (2) where the device is currently at in the sequence. When you press the green button after entering your PIN, the next 6-digit number in the sequence is generated and shown. When you type that number into the HSBC login page, HSBC updates its database to advance to the next number in the sequence, and checks that it matches the number you entered.

This process will eventually, after several years, exhaust the sequence of 6-digit numbers. Thereupon, the sequence will begin all over again.

A slight refinement is necessary. I can make my device get ‘out of sync’ with the HSBC database by repeatedly pressing the green button, but not trying to log in using the numbers it generates. To address this situation, the HSBC login page must accept not merely the very next number in the sequence, but any of the next, say, hundred numbers, and update its database accordingly.

### Like this:

Like Loading...

Hm, on the digital key I have for my Norwegian bank, it generates the code based on the current time, and a specific formula. So as long as the central computer has a clock that is in sync, and knows the formula, they will be able to authenticate with each other.

Thanks Stian, that sounds much more likely. Indeed, using a bit of trial and error, I have worked out, to within a second or so, how long the generated code remains valid. After pressing the green button to generate the 6-digit number, you have a window of about 2 minutes 20 seconds in which to type it in and click the ‘Continue’ button. Beyond that, your login attempt is rejected and you have to generate a new 6-digit number.

for many people both old and others the time of 2 minutes 20 seconds allowed being exceeded then being forced to change to a different 6 digits No.Is there any truth in this finding.