為了確保網路銀行之交易安全，限單次使用的交易密碼〔簡稱 OTP（One-Time Password）〕已經是被廣泛使用的方法。OTP 可以由使用者擁有的密碼產生器（Passcode-Generation Token）來產生，或是由系統端以簡訊的方式傳送給使用者。
經常造成使用者不方便的一個情形是輸入時按錯了按鍵，這種情形，傳輸到網路銀行系統端的 OTP 會被判定為錯誤；如果錯誤的次數達到規定的限制，系統會暫停該使用者帳號的權限，使用者必須攜帶身分證件親赴銀行的服務據點，才能解除帳號權限的鎖定。錯誤輸入的 OTP，與正確的 OTP 一般而言差異很小，攻擊者可能由竊聽或側錄的 OTP 經過一些猜測及修正後，成功的入侵網路銀行系統。
本研究以簡訊傳送 OTP 的機制為基礎，提出一個改進的機制，包含以下特點：
(1) 用戶端的裝置先計算出使用者登錄在系統端的手機號碼並顯示於用戶端的螢幕上，提供使用者目視判斷以確認系統端的真實性；
(2) 若使用者判斷顯示的手機號碼為正確，則用戶端裝置要求使用者輸入 OTP 並進行驗證，只有經用戶端驗證為正確的 OTP 才會傳送給系統端。
所以，本研究提出的改進機制，可以提昇使用者的方便性，也可以讓使用者確認系統端不是假冒的網站；另外，若系統端接收到不正確的 OTP，則可以推論遭到入侵者之攻擊，而對傳回 OTP 的來源採取防禦措施。

One-Time Password (OTP) is widely used to ensure transaction security in internet
banking. The OTP is generated by a Passcode-Generation Token in the possession of the
user, or is generated on the system side and then is sent as a short message to the user. The
user must enter the OTP and send it back to the system for confirmation. One scenario
that often causes user inconvenience is that the user carelessly inputs an incorrect OTP
which would result in a rejected transaction request. After a given number of rejections, the
system will suspend account access, requiring the user to present identification documents
in person to the bank to restore access privileges. The differences between correct and
incorrect OTP inputs are usually small, and attackers can potentially eavesdrop on OTP
inputs and, through speculation and trial-and-error, successfully attack the system.
This study proposes an improved OTP scheme that utilizes short message service. The
proposed scheme has the following new features: (1)The client device computes the user’s
registered mobile phone number and displays it on the device’s screen for inspection by
the user to ensure the system is authentic. (2)After the displayed phone number is verified
as correct, the user input the OTP which he received on his mobile phone. Next, the input
OTP is verified by the client device and only a correct OTP input is transmitted to the
system side.
This proposed scheme not only offers the user greater convenience but also allows
users to verify that the system side is not an imposter. In addition, if the system receives an
incorrect OTP, the system can assume it is under attack and take defensive measures.