Jump to content

One-time password

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by STLMatt (talk | contribs) at 21:00, 26 August 2007. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced.

There are basically three types of one-time passwords: the first type uses a mathematical algorithm to generate a new password based on the previous, a second type that is based on time-synchronization between the authentication server and the client providing the password, and a third type that is again using a mathematical algorithm, but the new password is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password.

Implementation of a mathematical algorithm type OTP

Main article: Hash chain

One approach, due to Leslie Lamport, uses a one-way function (call it f). The one-time password system works by starting with an initial seed s, then generating passwords

f(s), f(f(s)), f(f(f(s))), ...

as many times as necessary. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted.

Now, each password is dispensed in reverse, with f(f(...f(s))...) first, to f(s).

If an intruder happens to see one one-time password, they may have access for one time period or login, but it becomes useless once that period expires. To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse function f-1. Since we have deliberately chosen f to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is (so far as is known) a computationally infeasible task.

Implementation of a time-synchronized type OTP

File:CATBlackBerry.gif
Cellular Authentication Token on a BlackBerry
RSA SecurID tokens.

The time-synchronized one-time passwords are usually related to Cellular Authentication Token’s or physical hardware tokens; eg. the token is installed on the user cell phone or each user is given a personal token that generates a one-time password. Inside the token there is an accurate clock that has been synchronized with the clock on the authentication server. On these OTP systems time is an important part of the password algorithm, hence the generation of new passwords based on the current time rather than the previous password or a secret key. + The time-synchronized one-time passwords are usually related to physical hardware tokens; e.g. each user is given a personal token that generates a one-time password. Inside the token there is an accurate clock that has been synchronized with the clock on the authentication server. On these OTP systems time is an important part of the password algorithm, hence the generation of new passwords based on the current time rather than the previous password or a secret key.

Implementation of a challenge type OTP

The one-time passwords using a challenge to compute the next OTP essentially involve a bit more overhead for the user as he has to somehow enter the challenge into the password generating token. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually involve the previous one-time password as this would lead to synchronization problems. EMV is starting to use such a system (called "Chip Authentication Program") for credit cards in Europe.

Comparison of technologies

There are some obvious cost-saving benefits to time-synchronized OTPs as users tend to generate a password and not use it or type it wrong. Doing so on an OTP system that is not time-synchronized will cause the client to not be synchronized with the authentication server; the result of this is the added expense of re-issuing new clients. Alternatively, the server needs to take that issue into account (by ignoring bad password and by accepting any out of the next e.g. ten passwords, instead of just the next one, possibly also by adding a resynchronisation mechanism), so there is an extra effort in implementation, which might e.g. affect the price of the server system, but can avoid synchronization problems.

On the other hand, there are some obvious cost-saving benefits to non time-synchronized OTPS as the hardware token does not need a clock, so it especially does not need to be continually powered, so a battery should last much longer.

In sum, for a large installation, one would expect time-synchronized OTPs to be the more expensive choice, as any additional cost to the non-time-synchronized server should be outweighted by the more expensive and less durable individual tokens.

One-time passwords that are not time-synchronized are also vulnerable to phishing. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords (The Register article). However, even time-synchronized one-time passwords are vulnerable to phishing, if the password is used quickly enough by the attacker. This could be seen in 2006 by the attack on customers of a US bank (Washington Post Security Blog). Basically, the user of such a system must be aware that he is vulnerable to Man-in-the-middle attacks and should never give his one-time passwords to any third parties. Whether or not the one-time passwords are time-synchronized is basically irrelevant for the degree of vulnerability. This is also true for the challenge-based one-time passwords, although here you need to slightly expand the mentioned attack on time-synchronized passwords to a full Man-in-the-middle attack, while the one observed for the time-synchronized passwords is a very slightly simplified attack of that type.

Standardization is obviously a good thing. Sadly most good time-synchronized OTP technologies are patented and are not available for sharing with the general public. Mathematical algorithm type OTPs are a good substitute though, especially since many security specialist frown upon the principle Security through obscurity which is often used for the time-synchronized one-time passwords, while the other two types of one-time passwords can and often do rely on cryptographic algorithms that are commonly accepted as secure.

A common technology used for the delivery of OTPs is Short Message Service (SMS). Because SMS is an ubiquitous communication channel, being available in all handsets and with a large customer-base, SMS messaging has the greatest potential to reach all consumers with a low total cost of ownership. Tokens, smart cards and other traditional authentication methods are more costly to implement, pricey to maintain and frequently resisted by consumers. They are also vulnerable to man-in-the-middle attacks, in which phishers hijack online sessions by tricking customers into providing one-time-PINs generated by tokens or smart cards. Also tokens can be lost, and integrating OTPs into mobile might be more secure and simpler, because consumers do not have to carry an extra portable hardware.

More often than not, one-time passwords are an embodiment of a two-factor authentication solution. Some single sign-on solutions make use of one-time passwords. One-time password technology is often used with a security token.

Specific OTP technologies

Retrieved from "https://en.wikipedia.org/w/index.php?title=One-time_password&oldid=153812302"