Is that good approach to embed OTP (one time password) algorithm into Enterprise mobile apps to support offline capability? -

updated: building mobile apps on windows, ios & android platform generate otp (one time password) regulated system. system prompt challenge phrase when user attempt login , displayed challenge need keyed mobile app generate otp. generated otp entered system login.

so far requirements mobile otp generate app can expose service generate otp required security.

but, have wired requirement support same feature offline capability mobile has no internet connectivity. choice know embed otp algorithm & key app , apply suitable security mechanism. algorithm custom built propitiatory algorithm , without compromising security need achieve offline capability. approach embed algorithm & key app enable offline capability? recommended solution.

i have no idea mean "enterprise expose api".

but, will need tied physical phone device, sim module (i.e. phone number) or app secure/private storage two-factor work.

an api exposed on internet, without strong link authentication token (phone), not secure.

so, guess answer is: yes, should implement "otp algorithm" in app. app must store shared secret in private storage not (easily) accessible other apps. then, depending on kind of otp, need provide means of synchronization between app , server. google's authenticator establishing common timebase because "otp" not strictly one-time changes (only) depending on current date+time; hence current time becomes "challenge" server implicitly poses client return correct response. thing don't need access internet know current time in app. need synchronize timebase , make sure clock in app not differ server's.

the server instead send explicit challenge, sequential number. challenge displayed user attempting log-in, user have type number app , return app's answer server.

many more options available, bottom line is: provide reasonable security, otp must calculated on phone.