One-time password history

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that, if a potential intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he will not be able to abuse it since it will be no longer valid. On the downside, OTPs cannot be memorized by human beings. Therefore they require additional technology in order to work.

Contents  [hide] 1 How OTPs are generated and distributed 2 Methods of generating the OTP 2.1 Time-synchronized 2.2 Mathematical algorithms 3 Methods of delivering the OTP 3.1 OTP over SMS 3.2 OTP on a mobile phone 3.3 OTP on proprietary tokens 3.4 Direct OTP implementation 4 Comparison of technologies 4.1 One OTP implementation versus another 4.2 OTPs versus other methods of securing data 4.3 Related technologies 5 Standardization 6 OTPs in the context of online banking 7 See also 8 External links 9 References

How OTPs are generated and distributed

OTP generation algorithms typically make use of randomness. This is necessary because otherwise it would be easy to predict future OTPs from observing previous ones. Concrete OTP algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below.

• Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time)
• Using a mathematical algorithm to generate a new password based on the previous password (OTPs are, effectively a chain and must be used in a predefined order).
• Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.

There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMSmessaging. Finally, in some systems, OTPs are printed on paper that the user is required to carry with them.

Methods of generating the OTP

Time-synchronized

RSA SecurID tokens.

A time-synchronized OTP is usually related to a piece of hardware called a security token(e.g., each user is given a personal token that generates a one-time password). Inside the token is an accurate clock that has been synchronized with the clock on the proprietary authentication server. On these OTP systems, time is an important part of the password algorithm since the generation of new passwords is based on the current time rather than, or in addition to, the previous password or a secret key. This token may be a proprietary device for sale, or a mobile phone or similar mobile device which runs software that is proprietary,freeware, or open-source. An example of time-synchronized OTP standard is TOTP.

All of the methods of delivering the OTP below may use time-synchronization instead of algorithms.

Mathematical algorithms

Main article: Hash chain

Each new OTP may be created from the past OTPs used. An example of this type of algorithm, credited to Leslie Lamport, uses a one-way function (call it f). The one-time password system works by starting with an initial seed s, then generating passwords

f(s), f(f(s)), f(f(f(s))), ...

as many times as necessary. If an indefinite series of passwords is wanted, a new seed value can be chosen after the set for s is exhausted. Each password is then dispensed in reverse, with f(f(...f(s))...) first, to f(s).

If an intruder happens to see a one-time password, he may have access for one time period or login, but it becomes useless once that period expires. To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse function f^-1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is (so far as is known) a computationally infeasible task.

The use of challenge-response one-time passwords will require a user to provide a response to a challenge. For example, this can be done by inputting the value that the token has generated into the token itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually^{[citation needed]} involve the previous one-time password; that is, usually this or another algorithm is used, rather than using both algorithms.

The methods of delivering the OTP which are token-based may use either of these types of algorithm instead of time-synchronization.

Methods of delivering the OTP

OTP over SMS

A common technology used for the delivery of OTPs is short message service (SMS). Because SMS is a ubiquitous communication channel, being available in nearly all handsets and with a large customer-base, SMS messaging has a great potential to reach all consumers with a low total cost to implement, but the cost of each SMS adds up the more often that one needs to request an OTP and thus might not be suitable for some users. OTP over SMS also is encrypted using an A5/x standard which several hacking groups report can be successfully decrypted within minutes or seconds^[1][2][3][4], or the OTP over SMS might not be encrypted by one's service-provider at all. In addition to threats from hackers, the mobile phone operator becomes part of the trust chain. In the case of roaming, more than a single mobile phone operator has to be trusted. Anyone using this information may mount a man-in-the-middle attack.

OTPon a mobile phone

A mobile phone keeps costs low because a large customer-base already owns a mobile phone for purposes other than generating OTPs. The computing power and storage required for OTPs is usually insignificant compared to that which modern camera-phones and smartphones typically use. Mobile tokens additionally support any number of tokens within one installation of the application, allowing a user the ability to authenticate to multiple resources from one device. This solution also provides model-specific applications to the user's mobile phone. However, a cellphone used as a token can be lost, damaged, or stolen.

OTP on proprietary tokens

EMV is starting to use a challenge-response algorithm (called "Chip Authentication Program") for credit cards in Europe. On the other hand, in access control for computer networks, RSA Security's SecurID is one example of a time-synchronization type of token. Like all tokens, these may be lost, damaged, or stolen; additionally there is an inconvenience as batteries die (typically cannot plug these into a battery-charger, and this is one more battery that must be replaced, or in some cases the whole token must be replaced). A lower-cost and more convenient alternative proposed by RSA is to use "ubiquitous authentication"^[5] for SecurID to be added to mobile phones; this integration of OTPs into mobile phones would need to compete with software-based solutions which are already being used a mobile. The complete details of how RSA's "ubiquitous authentication" will be different from these existing software that can generate OTPs using cellphones is unknown as of February 2006.

Recently, it has become possible to take the electronic components associated with regular keyfob OTP tokens and embed them in a credit card form factor. However, because card thickness (.79mm to .84mm) prevents traditional components or batteries from being used, special polymer-based batteries must be used which have a much lower battery life than their traditional coin cell brothers. Also, extremely low-powered semiconductor components must be used to conserve the amount of power being used during sleep and/or actual use of the product.

Direct OTP implementation

This section does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged andremoved. (June 2010)

This type of solution provides the end-user with a means to create an OTP without the need for time-synchronized challenges, physical tokens, mobile phones or any other hardware and is implemented directly into the systems to which the end-user seeks access. Unlike other types, this OTP implementation does not require the purchase of additional hardware, software or services by the provider and eliminates the need to issue end-users with any physical token or require them to have, or have access to, a mobile device. Therefore, solutions like these, such as OTPW or OTPXS, significantly reduce the cost of implementation, and do not generate the increased help-desk services required by token-based solutions when the tokens are lost, stolen, forgotten or rendered inoperable due to abuse or neglect. With no limit on the number of end-users the system can handle, this type of solution is especially ideal for organizations with large numbers of end-users, but typically not ideal for maximum security, where two-factor authentication, (such as PKCS#11) and other protocols are typically used.

Comparison of technologies

One OTP implementation versus another

In terms of costs, the cheapest OTP solutions are those that deliver OTPs on paper, and those that generate OTPs on a device that someone already owns. This is because these systems avoid the costs associated with (re-)issuing proprietary electronic tokens and the cost of SMS messaging.

For systems that rely on electronic tokens, algorithm-based OTP generators must cope with the situation where a token drifts out-of-sync with its server if the system requires the OTP to be entered on a deadline. This leads to an additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift). Whether or not OTPs are time-synchronized is basically irrelevant for the degree of vulnerability, it but avoids a need to reenter passwords if the server is expecting the last or next code that the token should be having because the server and token have drifted out-of-sync.

Compared to most proprietary hardware tokens, so long as one already carries a phone or another mobile device in one's pocket, users of mobile devices don't need to carry and protect an extra item (which has no usefulness except that it generates OTPs). In addition to reducing costs considerably, using a phone as a token offers the convenience that it is not necessary to deliver devices to each end-user (who typically already own the device). For many users, a mobile phone may also be trickle-charged to preserve its battery for at least some portion of each day, whereas most proprietary tokens cannot be trickle-charged. However, most proprietary tokens have tamper-proof features.

OTPs versus other methods of securing data

One-time passwords are vulnerable to social engineering attacks in which phishers steal OTPs by tricking customers into providing one or more OTPs that they used in the past. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords (The Register article). In 2006 this type of attack was used on customers of a US bank (Washington Post Security Blog). Even time-synchronized OTPs are vulnerable to phishing, by two methods: The password may be used as quickly by the attacker as the legitimate user must use the OTP, if the attacker can get the OTP in plaintext quickly enough. The other type of attack -- which may be defeated if one's OTP system implements using the hash chain as discussed above -- is that after the phisher uses this social engineering, the phisher must then use the information gained (past OTP codes which are no longer valid) to predict what OTP codes will be used in thefuture (e.g. an OTP password-generator that is pseudo-random rather than truly random might or might not be able to be compromised, because pseudo-random numbers are often predictable once one has the past OTP codes (see also main article); the code implemented in the programming of each Direct OTP or token will determine whether one is vulnerable to this type of attack.

Although OTPs are in some ways more secure than a memorized password, users of OTP systems are still vulnerable to man-in-the-middle attacks. OTPs should therefore not be disclosed to any third parties, and using an OTP as one layer in layered security is safer than using OTP alone; one way to implement layered security is to use an OTP in combination with a password that is memorized by the user (and never transmitted to the user, like OTPs often are). An advantage to using layered security is that a single sign-oncombined with one master password or password manager becomes safer than using only 1 layer of security during the sign-on, and thus the inconvenience of password fatigue is avoided if one usually has long sessions with many passwords that would need to be entered mid-session (to open different documents, websites, and applications); however, the disadvantage of using many forms of security all at once during a single sign-on is that one has the inconvenience of more security precautions during every login--even if one is logging-in only for a brief usage of the computer to access information or an application that doesn't require as much security as some other top-secret items that computer is used for. See also Related technologies, below.

Related technologies

More often than not, one-time passwords are an embodiment of two-factor authentication (T-FA). T-FA is a form of layered security where it is unlikely that both layers would be disabled by someone using only one type of attack. Some single sign-on solutions make use of one-time passwords. One-time password technology is often used with a security token.

Newer, interactive T-FA approaches, such as eNTERSECt Technology's Interactive Transaction Authentication (ITA) system attempts to close the loop where attackers could get hold of OTPs, by prompting a user on a paired mobile phone about the transaction taking place. When accepting the transaction, the message is again relayed (over GPRS or SMS technology) to the authentication server. The whole transaction is encrypted using standard Public/Private Key Encryption.

Standardization

Many OTP technologies are patented. This makes standardization in this area more difficult, as each company tries to push its own technology. Standards do, however, exist, for example RFC 2289 and RFC 4226 (HOTP).

OTPs in the context of online banking

paper-based OTP web-site login

In some countries OTPs that are used in the context of online banking. In some of these systems, the bank sends to the user a numbered list of OTPs that are printed on paper. For every online transaction, the user is required to enter a specific OTP from that list. In Germany, those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case

Posted in: history