One Password Security

Posted on |



When you go on a vacation, you’re probably extremely vigilant with the security of your home. You lock all the windows and doors, and even activate the security camera if you have one installed. After all, you can’t be too careful.

  • If you don’t see Add a Security Key, turn on two-factor authentication for your 1Password account. Enter a name for your security key and click Next. Insert your security key into the USB port on your computer. If Windows Security asks you to create a PIN, enter one and click OK.
  • Create a secret link. Or generate a random password. A secret link only works once and then disappears forever. Sign up for a free account to set passphrases for extra security.

One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests. The static password is the most common authentication method and the least secure. If 'qwerty' is always your password, it's time for a change. Why is a one-time password safe?

Learn about two-factor authentication

Discover key forensics concepts and best practices related to passwords and encryption. This skills course covers

⇒ Breaking password security
⇒ Breaking windows passwords
⇒ Two-factor authentication

Start your free trial

But how vigilant are you when it comes to securing your digital accounts? Do you take steps to create complex passwords? Do you store them in a folder that’s only known to you? Even if you do, isn’t it possible for a hacker to remotely access your system and cause all kinds of harm? Unfortunately, many people need to take cybersecurity more seriously.

As the number of people using the internet to shop, learn, earn and socialize increases, it’s no longer enough to rely on complex passwords to keep intruders at bay. Businesses that store people’s information (banks, ecommerce firms, social media companies and so on) have realized this, which has led them to take extra measures to prevent fraudulent activities and improve account security.

One increasingly popular measure is the use of one-time passwords, which provide an additional level of security by generating a PIN code that’s valid for just one login session or transaction. How exactly does it help? Let’s take a closer look.

How does a one-time password work?

A one-time password (OTP) is sent to the mobile device of the person who wants to log into his/her digital account. It helps in verifying his/her identity and should be used within a specific period. As soon as the OTP enables access to the account, its validity comes to an end. Since the password (a four or six-digit numerical PIN code in most instances) can be entered just once, it’s not as risky as static passwords that can be used a second time.

Using an OTP can not only save you a lot of expenses and headaches but also provide your clients with peace of mind, knowing that their credentials are safe. If a customer’s account details are compromised, the authorization process won’t be completed without the correct OTP sent to his/her registered mobile account. In case a customer mistakenly enters the wrong OTP, they can always request a new code (up to three times) to gain account access.

One-time passwords function via random algorithms that create a new and random code each time a new password is requested. The code then serves as your second password that’s distinct to every account login and expires three to five minutes after you get it. This makes an OTP ideal for some of the most privileged and sensitive activities performed on the internet.

Who’s responsible for authenticating OTPs?

Where there are one-time passwords, there’ll be a central authority to check their validity. The responsibility is often delegated to authentication servers, which can either exist in the form of hardware controllers or software tools. The servers verify if the code put in by the users on the device is correct before it allows them to log into their accounts.

Authentication servers typically generate one-time passwords based on time, “synchronized” with the OTP code/token as well so that they leverage the same numeric values to arrive at the same OTP. Another approach involves using mathematical algorithms which are derived from the values of the previously used one-time passwords. The authentication servers also integrate with enterprise directories such as AD/LDAP and feature a web-based dashboard for easier control and management.

Security

Some providers also offer applications that make it easier to administer one-time passwords. For instance, if an OTP is associated with a device and the person forgets his/her device at home, they can sign into the web app of the OTP provider to request a one-time password on their email, just for a single day. The same app can also be used to request a new PIN code if the previous one has been lost or wrongly entered. Users can even report the damaged or lost codes/tokens to the administrators via the app.

Pros and cons of one-time passwords

Here are some of the biggest benefits of using OTP.

Pros

Is safe from replay attacks?

The biggest advantage offered by OTPs in contrast to standalone passwords is that they’re safe from replay attacks. In plain language, an adversary who uses trickery to capture your OTP can’t reapply it, since it’s no longer valid for future logins or sessions.

Allows you to keep your emails safe

OTPs are generally received on mobile devices via SMS. This means you don’t need to have access to your email. Hence, you can avoid logging into your email account on public computers or while you’re connected to an unsecured Wi-Fi hotspot.

Is convenient to use?

Most individuals own a mobile phone, and SMS functionality exists on every device. SMS’s ubiquity means that one-time passwords are convenient to use. This is also beneficial for businesses that deliver the OTPs, as end users are already familiar with their phones and don’t need another device to receive the code. As a result, OTPs allow companies to not only enhance the user experience but also reduce their operational costs.

Cons

Could get out of sync

One

Electronic codes have their fair share of problems. Algorithm-based OTPs need to cope with drifting out of sync with the authentication server if the system needs the OTP to be submitted by a deadline. Fortunately, the problem can be easily avoided by using a time-synchronized system. These systems prevent such issues by maintaining a time clock in electronic codes.

Can lock you out of your account

If your OTP device is ever stolen or lost, multiple login attacks by the hacker can permanently lock you out of your account. This can be a hassle when you’re traveling, as getting in touch with the OTP provider may require an international call, incurring expensive roaming charges. And if the provider doesn’t limit the number of login attempts, the adversary may still be able to hack your account through brute force.

May be costly for the providers

For OTP providers, costs can be a problem, especially if they’re offering OTP hardware. Other issues with hardware devices are that they can be stolen, damaged or lost. Moreover, users will need to go through the hassle of charging when battery life comes to an end. The best way to avoid these problems is to deliver one-time passwords via SMS messaging.

Conclusion

If you consider the usage, pros and cons of OTPs, every user can enhance their account security by leveraging a unique password for every single login. As long as the provider is using time-based synchronization and you have your mobile or OPT hardware with you, you can prevent threat actors from spoofing your account credentials. Plus, you get to avoid public computers that may have keystroke loggers and other token-capture software or hardware installed.

Sources

  1. Mijin Kim, Byunghee Lee, Seungjoo Kim, and Dongho Won, “Weaknesses and Improvements of a One-time Password Authentication Scheme,” International Journal of Future Generation Communication and Networking, December 2009
  2. You can use OTP – One Time Password for stronger authentication, exciTingIP.com
  3. Indrajit Das and Ria Das, “Mobile Security (OTP) by Cloud Computing,” International Journal of Innovations in Engineering and Technology, August 2013

What does OTP mean?

One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests.

The static password is the most common authentication method and the least secure. If 'qwerty' is always your password, it's time for a change.

Why is a one-time password safe?

The OTP feature prevents some forms of identity theft by making sure that a captured user name/password pair cannot be used a second time.

Typically the user's login name stays the same, and the one-time password changes with each login.

One-time passwords (aka One-time passcodes) are a form of strong authentication, providing much better protection to eBanking, corporate networks, and other systems containing sensitive data.

Authentication answers the question: 'Are you indeed Mr or Mrs. X?'

Today most enterprise networks, e-commerce sites, and online communities require only a user name and static password for login and access to personal and sensitive data.

OTP and TOTP vs. static password

Although this authentication method is convenient, it is not secure because online identity theft – using phishing, keyboard logging, man-in-the-middle attacks, and other practices – is increasing throughout the world.

Strong authentication systems address the limitations of static passwords by incorporating an additional security credential, such as a temporary one-time password (OTP), to protect network access and end-users digital identities.

This adds an extra level of protection and makes it more challenging to access unauthorized information, networks, or online accounts.

Time-based One-Time Password (TOTP) changes after a set period, such as 60 seconds, for example.

In India, the mAadhaar app on your mobile phone allows you to generate a dynamic OTP instead of waiting for a one-time password to arrive. The app’s algorithm generates a dynamic OTP or TOTP. The 8-digit code is valid for 30 seconds.

It sounds simple, and it is.

Here is an example of OTP in on-line payment.

How are one-time passwords created?

One-time passwords can be generated in several ways, and each one has trade-offs in terms of security, convenience, cost, and accuracy.

Grid cards

Simple methods such as transaction numbers lists and grid cards can provide a set of one-time passwords.

These methods offer low investment costs but are slow, difficult to maintain, easy to replicate and share, and require the users to keep track of where they are in the list of passwords.

Security tokens

A more convenient way for users is to use an OTP token, a hardware device capable of generating one-time passwords.

There's more.

Some of these devices are PIN-protected, offering an additional level of security.

The user enters the one-time password with other identity credentials (typically user name and password), and an authentication server validates the logon request.

Although this is a proven solution for enterprise applications, the deployment cost can make the solution expensive for consumer applications.

Because the token must be using the same method as the server, a separate token is required for each server logon, so users need a different token for each Web site or network they use.

Smart cards and OTP

More advanced hardware tokens use microprocessor-based smart cards to calculate one-time passwords.

Smart cards have several advantages for strong authentication, including data storage capacity, processing power, portability, and ease of use.

They are inherently more secure than other OTP tokens because they generate a unique, non-reusable password for each authentication event, store personal data, and do not transmit confidential or private data over the network.

Display payment cards can even integrate an OTP generator for 2-factor authentication.

Public Key Infrastructure for OTP strong authentication

Smart cards can also include additional strong authentication capabilities such as PKI or Public Key Infrastructure certificates.

When used for PKI applications, the smart card device can provide core PKI services, including encryption, digital signature, and private key generation and storage.

Check My Password Security

Thales smart cards support OTP strong authentication in both Java™ and Microsoft .NET environments.

Multiple form factors and connectivity options are available so that end-users have the most appropriate device for their network access requirements.

All Thales OTP devices work with the same Strong Authentication Server and are supported with a standard set of administrative tools.

Single-factor authentication (SFA)

Single-factor authentication is the traditional security process that requires a user name and password before granting access to the user.

Two-factor authentication (2FA)

Stronger authentication can also be implemented with two-factor authentication (2FA) or multiple-factor authentication. In these cases, the user provides two (or more) different authentication factors.

Below is another example of 2 factor-authentication in banking.

OTP SMS is a common second-factor authentication method for banks.

Security

At the ATM, you will need your card (something you have) AND a PIN code (something you know).

In Singapore, Singpass uses Two-Factor Authentication (2FA) and end-to-end encryption of passwords to securely access the country's eGovernment services.

Note that the European PSD2 regulation is requesting stronger customer authentication to banks and financial institutions. OTP SMS is no longer a PSD2-compliant method.

OTP markets and key industry players

One Time Password Security

The OTP segment is part of a more global two-factor authentication market evaluated at $3,5B in 2018. It will reach $8,9B by 2024, as revealed by a Market Research future study.

The OTP market is estimated at $1,5B in 2018 and will reach $3,2B by 2024.

The two-factor authentication market's major players include Thales, Fujitsu, Suprema, OneSpan, NEC, Symantec, RSA, IDEMIA, HID, Entrust, and Google, to name a few.

The hardware OTP token authentication business is a small part of the OTP market. According to Research and Markets, its worldwide size is estimated at $261m for 2019 and is expected to reach $403m by 2025.

One Password Security

Primary customers are enterprises, banking, finance, insurance and securities, government, healthcare, and gaming.

Beyond OTP: More resources on authentication

One Password Security Key

  • It's time for a change (CNN)
  • Create a more robust password (Google)
  • The password is dying.
  • German banks move away from SMS OTP (ZD Net - 11 July 2019)
  • Learn more about biometric authentication (Thales web dossier)
  • Discover multi-factor authentication solutions from Thales
  • Behavioral biometrics in banking (for stronger authentication)
  • Learn more about silent authentication
  • Discover our3-factorauthentication smart token
  • Advanced OTP in Banking: VTB24 in Russia