Misread OTP

OTP (One Time Password) is a token used for a multi-factor authentication. A time synchronized OTP is associated with a hardware device known as a secure token (a sample shown below). A random number is generated based on the password generation algorithm and the clock. The user enters this generated OTP to authenticate himself.

The generated OTP can vary in length based on the implementation. Let us consider a six digit OTP generator. There are some OTP which appear like a valid number even when read upside down, but the authentication fails as it is not the same as the generated OTP. For example, an OTP 126850 can be misread as 058921. Given a six digit OTP scenario, what percentage of the passwords can be misread?

There are six digits in an OTP and ten possible values for each of the digits. The total number of six digit passwords is 10^6.

The numbers which make a valid number even when read upside down are 0, 1, 2, 5, 6, 8, 9, which is seven possible values. Even if one of the digits is in the remaining set of 3, 4, or 7, the six digit OTP cannot be misread as they do not make a valid number. Hence, the total number of OTP possible which can be misread is 7^6 (seven possible values for each of the six digits).

The percentage of passwords which can be misread are 7^6/10^6 = 11%. 11 in a hundred OTP can be misread.