Worried that your smart lock’s one-time password will stop working if Wi-Fi drops? Learn how offline algorithms generate secure, time-based codes that remain valid even without internet.
Imagine this: you create a one-time password (OTP) for a guest arriving tomorrow, but overnight your home Wi-Fi dies. Will the OTP still open the door? The short answer is YES—if your lock uses a modern offline algorithm. Below, we explain exactly how this works, why it’s secure, and what you should look for when buying a smart lock.
1. What “Offline” Really Means for a Smart Lock
Modern smart locks fall into two camps:
- Cloud-dependent – every credential (app tap, PIN, OTP) is validated on a remote server. If the internet is down, the lock refuses to open.
- Offline-capable – the lock itself stores the necessary logic and secret keys. It does not need live connectivity to verify an OTP.
Our locks (and most premium models released after 2022) are offline-capable. The lock’s microcontroller contains:
- A real-time clock (RTC) with battery backup
- A cryptographically secure OTP engine
- A tamper-resistant secure element that stores secret keys
When you create an OTP in the companion app, the algorithm runs locally on your phone, then again inside the lock. Both sides produce the same code without ever talking to a server.
2. The Algorithm Behind Offline OTP: TOTP with a Twist
2.1 Standard TOTP (Time-based One-Time Password)
You may already know TOTP from apps like Google Authenticator:
OTP = HMAC-SHA256(SecretKey, UnixTime / TimeStep)- SecretKey: unique per lock, 256-bit, stored in the secure element
- UnixTime: seconds since 1970-01-01, synchronized during the last successful online handshake
- TimeStep: typically 60 seconds; every minute generates a fresh 6–8 digit code
Because both the lock and the app share the same secret and clock, they can each compute identical OTPs.
2.2 Anti-Replay “Twist” for Smart Locks
Standard TOTP is vulnerable to replay if someone captures the code and uses it within the same 60-second window. Our firmware adds two extra checks:
- Event counter: every successful unlock increments a counter on both lock and app; the next OTP must match the updated counter.
- Grace window: if the lock’s clock drifts ±5 minutes, it searches a small range (±5 codes) instead of rejecting the OTP outright. A successful match auto-corrects the clock drift.
These tweaks eliminate replay attacks and keep everything working when the internet is down for days.
3. Step-by-Step: Creating and Using an Offline OTP
| Step | Where it happens | Internet required? |
|---|---|---|
| 1. Generate OTP | App | Yes (to fetch the lock’s current counter and clock) |
| 2. Send OTP to guest | Any channel you like (SMS, WhatsApp, email) | Optional |
| 3. Guest arrives and types OTP | Lock | No |
| 4. Lock validates OTP internally | Lock | No |
| 5. Lock syncs usage log back to cloud | Lock | Only when Wi-Fi returns |
4. Security FAQ
Q1. Can someone steal the secret key and create their own OTPs?
The key lives in a CC EAL5+ certified secure element. It never leaves the lock and cannot be read—even if the device is physically opened.
Q2. What if the lock’s battery dies and the RTC resets?
Our RTC has a dedicated coin cell good for 5+ years. On full power loss, the lock refuses OTP entry until the next successful app sync, ensuring no rollback attacks.
Q3. Does offline OTP work for permanent PINs or RFID cards too?
Yes. PINs, cards, and fingerprints are stored in the same secure element and evaluated locally.
5. How to Check if Your Lock Supports True Offline OTP
- Look for “offline algorithm” or “local TOTP engine” in the spec sheet.
- In the app, create an OTP, then turn on airplane mode. If the lock still opens, it’s offline-capable.
- Ask the vendor: “Does the lock store a unique secret per device?” A vague answer usually means cloud dependency.
6. Key Takeaway
A properly engineered smart lock doesn’t need the internet to recognize a valid visitor. By embedding the same algorithm on both phone and lock, offline OTPs remain:
- Usable without Wi-Fi
- Secure against replay and cloning
- Future-proof even if our cloud service ever shuts down
So go ahead—schedule that Airbnb guest, send the cleaner a one-time code, or let the dog walker in. Even if your router takes the day off, your door won’t.
Need more details? Drop us a line at YiTechE@gmail.com for the full cryptographic white paper.
