One-time password: Difference between revisions
added paper-based image |
|||
| Line 68: | Line 68: | ||
In some countries OTPs that are used in the context of online banking. In some of these systems, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. In Germany, those OTPs are typically called TANs (for '[[transaction authentication number]]s'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs'). |
In some countries OTPs that are used in the context of online banking. In some of these systems, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. In Germany, those OTPs are typically called TANs (for '[[transaction authentication number]]s'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs'). |
||
[[File:Otp_paper-login_figure2_mid.png|thumb|right|paper-based OTP web-site login]] |
|||
== Related technologies == |
== Related technologies == |
||
Revision as of 01:25, 17 September 2009
A one-time password (OTP) is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs it that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that, if a potential intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he will not be able to abuse it since it will be no longer valid. On the downside, OTPs cannot be memorized by human beings. Therefore they require additional technology in order to work.
How OTPs are generated and distributed
OTP generation algorithms typically make use of randomness. This is necessary because otherwise it would be easy to predict future OTPs from observing previous ones. Concrete OTP algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below.
- Using a mathematical algorithm to generate a new password based on the previous password (OTPs are, effectively a chain and must be used in a predefined order).
- Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time)
- Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.
There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging. Finally, in some systems, OTPs are printed on paper that the user is required to carry with him.
Implementations
Mathematical algorithm
One approach, credited to Leslie Lamport, uses a one-way function (call it f). The one-time password system works by starting with an initial seed s, then generating passwords
- f(s), f(f(s)), f(f(f(s))), ...
as many times as necessary. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted. Each password is then dispensed in reverse, with f(f(...f(s))...) first, to f(s).
If an intruder happens to see a one-time password, he may have access for one time period or login, but it becomes useless once that period expires. To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse function f-1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is (so far as is known) a computationally infeasible task.
Time-synchronized
The time-synchronized one-time passwords are usually related to physical hardware tokens (e.g., each user is given a personal token that generates a one-time password). Inside the token is an accurate clock that has been synchronized with the clock on the authentication server. On these OTP systems, time is an important part of the password algorithm since the generation of new passwords is based on the current time rather than the previous password or a secret key.
Recently, it has become possible to take the electronic components associated with regular keyfob OTP tokens such as those from RSA and embed them in a credit card form factor. However, because card thickness (.79mm to .84mm) prevents traditional components or batteries from being used, special polymer-based batteries must be used which have a much lower battery life than their traditional coin cell brothers. As well, extremely low-powered semiconductor components must be used to conserve the amount of power being used during sleep and/or actual use of the product. Two companies have led in the production of thin "display card OTP" devices. Those being Identita (http://www.identita.com) and NagraID (http://www.nidsecurity.com/)
Mobile phones and PDAs can also be used to generate a time-synchronised one-time password. This approach could be a more cost effective alternative since most Internet users already have mobile phones. Additionally, this approach could be more convenient since the user would not need to carry around a separate hardware token for each security domain to which he or she requires access.
Challenge
The use of challenge one-time passwords (OTP) requires a user to provide a time-synchronized challenge to be properly authenticated. This can be done by inputting the value into the token itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually involve the previous one-time password as this would lead to synchronization problems. EMV is starting to use such a system (called "Chip Authentication Program") for credit cards in Europe.
OTP over SMS
A common technology used for the delivery of OTPs is short message service (SMS). Because SMS is a ubiquitous communication channel, being available in all handsets and with a large customer-base, SMS messaging has the greatest potential to reach all consumers with a low total cost of ownership. Tokens, smart cards and other traditional authentication methods are more costly to implement, pricey to maintain and frequently resisted by consumers. They are also vulnerable to man-in-the-middle attacks, in which phishers steal OTPs by tricking customers into providing one or more such OPTs displayed on their token. Also tokens can be lost, and integrating OTPs into mobile might be[who?] more secure and simpler, because consumers do not have to carry an extra portable device. At the same time, OTP over SMS may be less secure because now the mobile phone operator now becomes part of the trust chain. In case of roaming, even more than a single mobile phone operators has to be trusted.
OTP on a mobile phone
Compared to hardware token solutions, which require each end-user to carry a physical token device, a mobile phone token reduces costs considerably, as well as offering an unprecedented level of convenience. This solution also reduces the logistical requirement in that it is not necessary to deliver devices to each end-user. One such mobile token, FireID additionally supports any number of tokens within one installation of the application, allowing a user the ability to authenticate to multiple resources from one device. This solution also provides model-specific applications to the user's mobile phone. A mobile phone token is also significantly more secure than SMS-based solutions, since SMS's are sent over the GSM network in plain text and subject to interception.
Comparison of technologies
In terms of costs, the cheapest OTP solutions are those that distribute OTPs on paper, and those that generate OTPs on the user's mobile phone. This is because these systems avoid the costs associated with (re-)issuing electronic tokens and the cost of SMS messaging.
For systems that rely on electronic tokens, non-time synchronized systems must cope with the situation where the server and the token drift out-of-sync. This leads to an additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift).
One-time passwords that are also vulnerable to phishing. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords (The Register article). Even time-synchronized one-time passwords are vulnerable to phishing, if the password is used quickly enough by the attacker. This could be seen in 2006 by the attack on customers of a US bank (Washington Post Security Blog).
While OTPs are more secure that passwords, users of OTP systems are still vulnerable to man-in-the-middle attacks. OTPs should therefore not be disclosed to any third parties. Whether or not OTPs are time-synchronized is basically irrelevant for the degree of vulnerability. Challenge-based OTPs are vulnerable too, although a successful attack requires the attacker to be slightly more active than for the other OTP types.
Many OTP technologies are patented. This makes standardization in this area more difficult, as each company tries to push its own technology. Standards do, however, exist (see RFC2289 for example).
OTPs in the context of online banking
In some countries OTPs that are used in the context of online banking. In some of these systems, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. In Germany, those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs').
Related technologies
More often than not, one-time passwords are an embodiment of a two-factor authentication solution. Some single sign-on [1] solutions make use of one-time passwords. One-time password technology is often used with a security token.
Specific OTP technologies
The following is a table of specific OTP technologies, in alphabetical order, contrasting the main properties of each technology; namely, the distribution method of OTPs and the integration method on the server side.
| Name | Distribution method | Supported applications | Server integration |
|---|---|---|---|
| AuthAnvil | Generated by application on smartphone or hardware keyfob | Windows Logon, PAM, VPN, Websites, and any RADIUS enabled device | via proprietary SOAP/XML, SAML or RADIUS |
| FireID | Generated by application on smartphone | Websites, VPN | via proprietary XML-RPC or RADIUS |
| KYPS | Self-service (user prints PDF) & SMS | Websites | None (not required) |
| Mobile-OTP | Generated by application on smartphone | Websites, RADIUS, PAM | PHP module for Apache web server, PAM module for Linux/Solaris, RADIUS plugin |
| mod_authn_otp | Electronic token | Websites | PHP module |
| OTPauth | Printed list & SMS | Websites | PHP module for Apache web server |
| OTPW | Paper list | Linux login | Linux package |
| RSA SecurID | Generated on hardware token | Websites, applications | Proprietary server software |
| SecureOTP, by SecureMetric Technology | Generated on hardware or software token | 3-rd party applications supporting HOTP standard | Proprietary software module |
| S/KEY (described in RFC 1760). | Electronic token | Linux login | Linux module |
| ZyWall from ZyXEL | Electronic token | 3rd party applications supporting OATH | Proprietary ASAS server software |
See also
- One-time pad (OTP)