Jul 11, 2015

What is a one-time password and how is it used?

One-time password

"A one-time password (OTP) is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password based authentication; a number of implementations also incorporate two factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows."
Years ago vendors set out to improve how users authenticated themselves at login times with hardware-based two-factor authentication: having an object uniquely in your possession that would generate a one-time code that would work with a security appliance to better secure your logins. These objects have a small LCD screen that automatically generates a new six-digit number every few seconds; you enter this number as part of the login process to prove that you are who you say you are. In theory no one else could know this number at this specific moment in time, so the token is a great way to improve your login from an ordinary user name/password combination. There is an algorithm that compares the number on your token with what a security server has listed for you.

Over the years these tokens have been used in millions of users’ hands. Two-factor authentication is certainly on the rise. In addition to being used in various business applications, many of the consumer-based Web applications have adopted the practice. This includes Google, Facebook, Yahoo, eBay, PayPal and Apple, for example. And the small tokens have branched out to other form factors, including software apps that generate the digits on your smartphone, or an app that sends the digits in a text or voice message to your smartphone. This is a great improvement, since both IT administrators and users alike hate the actual little objects. They can get lost, or misplaced, or you leave them at home when you need them at work or vice-versa.

OTP tokens are available from dozens of vendors, most notably RSA, Vasco, and SafeNet. Some of the single sign on vendors also sell their own smartphone-based OTP tokens, including Centrify, Ping, SecureAuth and Okta.

And lately there have been several man-in-the-middle attacks on OTP tokens so they aren’t secure as they once were thought.

There are efforts underway to extend OTP to a more standards-based approach that makes use of the FIDO Alliance, but we’ll leave that for another time.
Answer this