Review: One time password generators

Removing weakness and misappropriation of passwords from the security equation

We all know that administering the human factor in network security is a balancing act. On the one hand you do need to enforce policies to minimise basic weaknesses, especially lazy passwords (such as the ubiquitous “password”). On the other hand, you also need to manage the administrative impact of rigid policies - how many times can one person get it wrong! Lost and forgotten passwords all require someone or something to restore and reissue the password to the user. In most cases this involves phoning the helpdesk or cornering the office administrator. Invariably you’ll have to wait because they are already busy resetting the director’s password for the umpteenth time.

Reissuing passwords is the systemic weak point in traditional single-password authentication systems. Often new passwords are simply emailed to the user’s account, which could also be compromised. Many systems add an additional password challenge - a secret question, but these can be fairly easily navigated. Your date of birth, hometown or mother’s maiden name are easily discoverable, researchable, or socially engineer-able questions.


One-time password (OTP) security solutions are rapidly growing in popularity as we move towards larger and larger amounts of valuable ‘stuff’ online. International corporations such as Google and Facebook both have recently rolled out OTP options for their users. Blizzard now provides an OTP option for its vastly successful World of Warcraft online game, and from the financial sector, HSBC has deployed OTP devices to its customers for their online accounts.

Technically, OTPs are a subset of two-factor authentication (TFA) options, which require two different forms of authentication: generally something you have (an OTP device), and something you are (biometric check) or something you know (password).

A one-time password solution uses either a time-based or algorithmically generated number that’s used once by the user and discarded. The method used by the cryptographic algorithm varies depending on implementation, but there are three main approaches: a time-based code, a pseudo-random number generated from a set key, or a code produced via a random-number challenge from the authentication server.

All of these approaches ultimately require a delivery method/device so that the user can read, then enter the OTP into the authentication system. We won’t attempt to cover all of the solutions that have been created for this, but it is worth outlining the most common options.

One such solution involves a secure hardware token-display, as used by HSBC and other banks. These can return codes for any of the options above. The code returned is then entered into the log-in system. Often a keypad is used to enter a user-defined lock code or a code delivered as part of the authentication system.

For businesses where the workforce is potentially at risk, options exist to include a “distress” code instead of the OTP. So if the user is being forcibly coerced into accessing the OTP-protected system, the “distress” code can be used, limited access is still granted, and an alarm raised.


At the moment, a popular option makes use of mobile phones, providing a range of delivery options, including SMS text messages, a dedicated app, instant messages, simple email or push delivery. Modern smartphones provide a convenient and flexible way of distributing OTPs that are already embraced by most users. This reduces cost because no new devices are required and delivery is done over existing transports. However, there are also issues associated with this system that are worth noting.

Users will need to have ready access to their phone, and a phone signal will need to be available for a live delivery. Additionally, there can be delays and interruptions to SMS and data services, and both text messages and standard emails are unencrypted so create a means of attacking the system.

Push technology is supported by most smartphone platforms can help alleviate delays. An OTP can be pushed in real time to the phone after a challenge has been made.

An alternative approach uses a dedicated phone app that generates the OTP using the phone’s processor and is stored locally. The associated problem here is that support is required for each different type of phone used, so ultimately it could be easier to deploy a dedicated device.

Other options you’ll see popping up include web-delivered OTP – with some solutions offering options, such as selecting a picture as part of a two-factor authentication. Others include simple printed paper cards, much like business cards. These provide numbers in a grid or list so, when logging on, the user is prompted to enter a code corresponding to a specific grid location. This seemingly low-tech approach provides a number of simple advantages that have won over a number of banks. The lower cost of deployment and flexibility in how grids can be issued are great advantages. Customers can pick cards up from a local branch or print out their own. They’re cheap, easy and fast to replace, and it’s also possible to replace the password element with a smartcard, USB key or other proprietary token (acting more as a two-factor authentication (TFA) than an OTP delivery system).


As always, in the world of security, implementation of an OTP system does not mean security is addressed. Undoubtedly, an OTP system will enhance your security but it’s still possible to envisage scenarios where malware can intercept the OTP after it has been requested. It’s also possible for attackers to increase the amount of time available to them using basic social engineering such as phoning the victim in the middle of logging on.

If log-on details are already known to attackers, they can simply steal the device used to deliver the OTP or alternatively, a man-in-the-middle ruse can fool a user into divulging the OTP to an attacker posing as an administrator.

OTPs do significantly increase the complexity for the hijackers, providing only a narrow window of opportunity, but if the target is tempting enough there’s no reason to dismiss the possibility.

In this review we look at a range of OTP solutions, from low-cost, single-system, single-user solutions all the way up to full enterprise-level systems that can handle over a million users.

In between, there are a few other interesting alternatives such as OTP cloud-based services, hobbyist-style implementations and low-cost, server-based deployments. There really is a one-time password system out there to suit everyone’s needs.

Join the CSO newsletter!

Error: Please check your email address.

Tags MyPWNordic Edge One Time Password Server 3single password authentication systemsauthenticationdata protectionDeepNet Security DualShieldnetwork securityreviewEnex TestLabpassword generatorsOne-time password (OTP) security solutions

More about BlackBerryBlizzardetworkFacebookGoogleHewlett-Packard AustraliaHPHSBCING AustraliaLinuxMicrosoftNovellPAMRSASafeNetSSHSuse

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Enex Testlab

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts