We all know that administering the human factor in network security is a balancing act. On the one hand you do need to enforce policies to minimise basic weaknesses, especially lazy passwords (such as the ubiquitous “password”). On the other hand, you also need to manage the administrative impact of rigid policies - how many times can one person get it wrong! Lost and forgotten passwords all require someone or something to restore and reissue the password to the user. In most cases this involves phoning the helpdesk or cornering the office administrator. Invariably you’ll have to wait because they are already busy resetting the director’s password for the umpteenth time.
Reissuing passwords is the systemic weak point in traditional single-password authentication systems. Often new passwords are simply emailed to the user’s account, which could also be compromised. Many systems add an additional password challenge - a secret question, but these can be fairly easily navigated. Your date of birth, hometown or mother’s maiden name are easily discoverable, researchable, or socially engineer-able questions.
PASS THE WORD
One-time password (OTP) security solutions are rapidly growing in popularity as we move towards larger and larger amounts of valuable ‘stuff’ online. International corporations such as Google and Facebook both have recently rolled out OTP options for their users. Blizzard now provides an OTP option for its vastly successful World of Warcraft online game, and from the financial sector, HSBC has deployed OTP devices to its customers for their online accounts.
Technically, OTPs are a subset of two-factor authentication (TFA) options, which require two different forms of authentication: generally something you have (an OTP device), and something you are (biometric check) or something you know (password).
A one-time password solution uses either a time-based or algorithmically generated number that’s used once by the user and discarded. The method used by the cryptographic algorithm varies depending on implementation, but there are three main approaches: a time-based code, a pseudo-random number generated from a set key, or a code produced via a random-number challenge from the authentication server.
All of these approaches ultimately require a delivery method/device so that the user can read, then enter the OTP into the authentication system. We won’t attempt to cover all of the solutions that have been created for this, but it is worth outlining the most common options.
One such solution involves a secure hardware token-display, as used by HSBC and other banks. These can return codes for any of the options above. The code returned is then entered into the log-in system. Often a keypad is used to enter a user-defined lock code or a code delivered as part of the authentication system.
For businesses where the workforce is potentially at risk, options exist to include a “distress” code instead of the OTP. So if the user is being forcibly coerced into accessing the OTP-protected system, the “distress” code can be used, limited access is still granted, and an alarm raised.
PHONING IT IN
At the moment, a popular option makes use of mobile phones, providing a range of delivery options, including SMS text messages, a dedicated app, instant messages, simple email or push delivery. Modern smartphones provide a convenient and flexible way of distributing OTPs that are already embraced by most users. This reduces cost because no new devices are required and delivery is done over existing transports. However, there are also issues associated with this system that are worth noting.
Users will need to have ready access to their phone, and a phone signal will need to be available for a live delivery. Additionally, there can be delays and interruptions to SMS and data services, and both text messages and standard emails are unencrypted so create a means of attacking the system.
Push technology is supported by most smartphone platforms can help alleviate delays. An OTP can be pushed in real time to the phone after a challenge has been made.
An alternative approach uses a dedicated phone app that generates the OTP using the phone’s processor and is stored locally. The associated problem here is that support is required for each different type of phone used, so ultimately it could be easier to deploy a dedicated device.
Other options you’ll see popping up include web-delivered OTP – with some solutions offering options, such as selecting a picture as part of a two-factor authentication. Others include simple printed paper cards, much like business cards. These provide numbers in a grid or list so, when logging on, the user is prompted to enter a code corresponding to a specific grid location. This seemingly low-tech approach provides a number of simple advantages that have won over a number of banks. The lower cost of deployment and flexibility in how grids can be issued are great advantages. Customers can pick cards up from a local branch or print out their own. They’re cheap, easy and fast to replace, and it’s also possible to replace the password element with a smartcard, USB key or other proprietary token (acting more as a two-factor authentication (TFA) than an OTP delivery system).
DON’T LOWER YOUR GUARD
As always, in the world of security, implementation of an OTP system does not mean security is addressed. Undoubtedly, an OTP system will enhance your security but it’s still possible to envisage scenarios where malware can intercept the OTP after it has been requested. It’s also possible for attackers to increase the amount of time available to them using basic social engineering such as phoning the victim in the middle of logging on.
If log-on details are already known to attackers, they can simply steal the device used to deliver the OTP or alternatively, a man-in-the-middle ruse can fool a user into divulging the OTP to an attacker posing as an administrator.
OTPs do significantly increase the complexity for the hijackers, providing only a narrow window of opportunity, but if the target is tempting enough there’s no reason to dismiss the possibility.
In this review we look at a range of OTP solutions, from low-cost, single-system, single-user solutions all the way up to full enterprise-level systems that can handle over a million users.
In between, there are a few other interesting alternatives such as OTP cloud-based services, hobbyist-style implementations and low-cost, server-based deployments. There really is a one-time password system out there to suit everyone’s needs.