Off-the-Record Messaging

Authentication

You've probably received email from people pretending to be banks, credit agencies, even wealthy Nigerian expatriates. People lie about who they are all the time on the Internet. Authentication is a way to make sure that nobody can lie to you about who they are when they use OTR.

When to authenticate

You should authenticate a buddy the very first time that you talk to them using OTR. If you don't, then you can't really be sure that someone else isn't impersonating them or trying to listen in on your conversation. However, once you've authenticated your buddy once, you don't have to do it again. OTR will automatically do the authentication for all of your future conversations with that buddy.

The only exceptions occur when your buddy switches between multiple computers or multiple IM accounts. In this case, you will need to authenticate once for each computer and account. Once you've done this, your buddy can freely use any of the computers you've authenticated them on, and OTR will recognize them automatically. If your buddy uses a new computer or account that OTR does not recognize, a message will pop up in your conversation window telling you about it.


How to authenticate

Important:If you are using OTR version 3.0.0 or earlier, or you would like to continue using the old fingerprints method, please refer to the help on fingerprints. The remainder of this page assumes that you are using a recent copy of OTR, and the standard authentication method.

To authenticate someone, open a conversation with them and click on "Authenticate Connection" on the OTR button. OTR will ask both you and your friend to enter a secret known only to the two of you.


If you both enter the same thing, then you know that you are really talking to your friend. Any imposter should have a hard time guessing what you're typing in, so you'll be able to catch them in the act.

This method of authentication is only effective if it's hard for an imposter to guess what you're typing, but easy for your friend.

The following is an example of what not to do:


Here you are telling the other person exactly what to do. An imposter can figure out what to type in just as easily as your friend can.

A better way to pick a secret would be something like this:


Now an imposter has no idea what to type in. Your friend, on the other hand, knows exactly what you're talking about. When OTR tells you that the secrets matched, you can be sure that you are really talking to your friend.

What the results mean

When you have entered your secret and hit OK, a progress bar pops up. This bar should fill up to 100% and then display one of the following messages:


This means that authentication has been a complete success. Your buddy entered the same secret that you did, and so they are not an imposter. The OTR button will automatically change to "Private", showing that conversations with this buddy are safe.


This means that although there were no errors, your buddy did not enter the same text as you. You should try again, making sure that you are clear about what to type (for example, "the restaurant name in lower case"). If you repeatedly get this result, you should view your buddy with suspicion.


This means that something has gone wrong and the process could not complete normally. This will happen if your buddy hits "cancel" or fails to receive one of your messages. In this case, you should simply try again. If you try several times and keep getting an error, you should view your buddy with suspicion.