Because the short set of characters does not change until the counter reaches zero, it is possible to prepare a list of single-use passwords, in order, that can be carried by the user. Alternatively, the user can present the password, characters and desired counter value to a local calculator to generate the appropriate one-time password that can then be transmitted over the network in the clear. The latter form is more common and practically amounts to challenge-response authentication.
S/KEY is supported in Linux (via Pluggable authentication modules), OpenBSD, NetBSD, and FreeBSD, and a generic open source implementation can be used to enable its use on other systems. S/KEY is a trademark of Telcordia Technologies, formerly known as Bell Communications Research (Bellcore).
S/KEY is also sometimes referred to as Lamport's scheme, after its author. It was developed by Neil Haller, Phil Karn and John Walden at Bellcore in the late 1980s. With the expiration of the basic patents on public key cryptography and the widespread use of laptop computers running SSH and other cryptographic protocols that can secure an entire session, not just the password, S/KEY is falling into disuse. SecurID is a related one-time password scheme that still sees widespread use because, unlike S/KEY, it provides two-factor authentication by requiring a physical token that cannot be easily reproduced.
After password generation, the user has a sheet of paper with n passwords on it. The first password is the same password that the server has stored. This first password will not be used for authentication (the user should scratch this password on the sheet of paper), the second one will be used instead:
For subsequent authentications, the user will provide password i. (The last password on the printed list, password n, is the first password generated by the server, H(w), where w is the initial secret). The server will compute H(password i) and will compare the result to password i-1, which is stored as reference on the server.
However this would require inverting the hash function that produced password i using password i-1 (password i = H(password i-1)), which is extremely difficult to do with current cryptographic hash functions.
S/KEY is however vulnerable to a man in the middle attack if used by itself. It is also vulnerable to certain race conditions, such as where an attacker's software sniffs the network to learn the first N-1 characters in the password (where N equals the password length), establishes its own TCP session to the server, and in rapid succession tries all valid characters in the Nth position until one succeeds. These types of vulnerabilities can be avoided by using ssh, SSL, SPKM or other encrypted transport layer.