Blog Feed
Tesla App Two-Factor Authentication Coming Soon According to Elon Musk
Without a doubt, Tesla’s electric cars are the best vehicles on the market right now. They attract people with modern design, high efficiency, and the low cost of maintenance and operation. These vehicles are generally considered pretty theft-proof, thanks to always-on GPS which lets owners track their cars. But numerous smart features still make these cars extremely vulnerable to hacking. That’s how the two-factor authentication has become one of the most awaited things among Tesla users. The good news is that the Tesla CEO Elon Musk has recently twitted that 2FA is now on the way. He doesn’t provide a timeline, but admits that this is “embarrassingly late”. Why Tesla users are looking forward to 2FA Firstly, what is two-factor authentication? It implies a request for data of different types, due to which it provides reliable protection against hacks and virus attacks. Usually, a person must enter a username and password (something they know), and then confirm the entry into the system by specifying the confirmation code sent to their phone (something they have) by e-mail, SMS, and chat-bot in the messaging app, or generated by the 2FA app or hardware authentication token. In some cases, it is possible to request biometric data (scanning of the eye retina, fingerprints voice recognition) – something they are. At the moment, you only need a username and password to log in and unlock your car with Tesla apps. Imagine that someone recognized them. Fraudsters can simply install the application on their phone and get access to many of the functions of your electric car. Two-factor authentication minimizes the risk of this and provides strong protection for your account. | Read also: 6 Multi-Factor Authentication Myths You Still Believe Tesla app two-factor authentication options to choose If to believe Elon Musk, two MFA methods will be available to the Tesla app two-factor authentication users: SMS and 2FA applications. This means that most probably programmable hardware tokens Protectimus Slim NFC and Protectimus Flex will also fit as they are designed to replace 2FA apps. SMS authentication SMS two authentication is one of the most popular solutions. It is convenient and saves time on installing additional applications and buying individual hardware tokens. It cannot be denied that SMS authentication is safer than simply entering a username and password. But it also has several disadvantages: The risk of replacing the SIM card;Cellular network vulnerabilities;Smartphone viruses. We described all these issues with SMS authentication in detail here. Of course, hacking your account won’t be as easy as it is now when the Tesla app works without two-factor authentication at all, but better choose any other 2-factor authentication method. 2FA apps The second popular solution is MFA applications that generate one-time passwords on your smartphone. In this case, OTP passwords are not transmitted over any network, which eliminates half of the risks. This type of two-factor authentication is much more reliable than SMS. But it also has its drawbacks. Every time you connect to the network, you make your smartphone vulnerable. Any downloaded application can go with a virus. Programmable hardware token As a rule, if the application supports two-factor authentication with the help of an in-app authenticator, you can also connect the Protectimus Slim NFC or Protectimus Flex hardware token for the Tesla app two-factor authentication. Protectimus...
read more6 MFA Myths You Still Believe
MFA or multi-factor authentication by definition is a technology that limits access to a user account unless the user presents two or more pieces of evidence that prove that they are who they claim to be, moreover, the evidence must be of different natures: something they know, something they have or something they are. Overall, the process is regarded as helpful, as it is a solution to many security threats including phishing, brute force, keyloggers, some cases of social engineering and MITM attacks. However, some persistent MFA myths make companies hesitant to use it, and we’re ready to debunk some of the most common ones. 1. Only large companies benefit from using MFA This misconception doesn’t make sense if you think about it. The size of the company should have nothing to do with the security measures it employs. Even small companies can acquire sensitive information that should be subject to comprehensive control and security. Furthermore, a company doesn’t need to have a huge staff to implement multifactorial identification. There are two-factor authentication examples that are easy and cheap to carry out, monitor, and maintain. While the downsides of not using MFA authentication can be even more devastating for a small company, a security breach can result in a massive loss of reputation and trust. 2. MFA should only be required from privileged users The idea behind this myth is that only privileged users have access to sensitive data, so they are the only ones that should be required to go through multi-factor authentication. However, this assumption is often wrong as, for example, every company employee has access to some confidential data. A harmful side of this myth is that cybercriminals often use it to their advantage. They target non-privileged users with phishing techniques or other hacking methods. Then they can use the access gained to move around the corporate network and access private or valuable data with ease. | Read also: Remote Work: How to Transition Team to Working From Home During the COVID-19 Pandemic 3. It is expensive to enable 2FA This myth stems from the earlier days of 2-step verification when each hardware token cost was around $100, so while it was secure, it wasn’t cheap. Furthermore, they could be lost, rendering the process harder and even more expensive. Nowadays, the price for hardware tokens Protectimus Two starts from USD 11,99 and goes down if the amount of order starts from 50 pieces. Moreover, there are much easier and cheaper ways of distributing one-time passwords. For example, it can be done for free through a dedicated authentication app or a chatbot in Telegram, Viber, or Facebook. Another thing to consider when calculating the price of MFA is how much you would lose without it in the case of a data breach. 4. Two-factor authentication ruins the user experience Most companies work hard and spend a lot of money to make the user experience as smooth as possible. This is why it might seem annoying to them that just for the sake of implementation of multi-factor authentication solutions users would need to perform an extra task entering a one-time password. While this is true, two-step authentication is becoming more and more common, and users often expect to perform this extra step. Furthermore, you should remember that technology...
read moreHow to Add Two-Factor Authentication to Outlook Web App (OWA)
If you read this article, you probably know the answer to the “what is OWA” question. But just in case — OWA Outlook is a browser email client to access Microsoft Outlook without any on-premises installations for Exchange 2013, Exchange 2010 users. For Microsoft Outlook update for Microsoft Exchange 2016 it was rebranded as “Outlook on the web”. OWA Outlook online provides access not only to email, but to other personal information like calendar, contacts, and tasks, and is widely used by businesses all over the world. With such sensitive data involved, OWA two-factor authentication becomes imperative. We developed two products for Outlook OWA 2FA. The first product is Protectimus OWA, developed specifically for Office OWA integration. The second solution is Protectimus DSPA which adds 2FA directly to the repository (Active Directory, Lightweight Directory Access Protocol, databases) and thus adds MFA to everything linked to the business AD, LDAP, etc. Today we will give you an in depth look into both methods. We will describe their work, show you how to implement each solution and list the tokens that support them. Method 1. Use Protectimus OWA 2FA Plugin Our Exchange OWA plugin is designed to integrate Outlook 2-factor authentication for mail on Microsoft Exchange 2016, Exchange 2013 as well as 2019. Protectimus installation wizard finishes a Microsoft MFA setup in 15 min tops. Download Protectimus OWA installer and setup instructions How it works With the plugin from Protectimus, OWA multi-factor authentication will be integrated with the OWA app only, nothing else. This method requires registering to Protectimus cloud service or downloading our MFA platform (contact out ), setting it up and starting the installation wizard. That is it. This product for OWA two-factor authentication runs either in cloud, or locally. The customer gets all the advanced features like geo and time filters, IP filters, analysis of the user environment etc. Every Protectimus token works with this plugin, and it supports third-party tokens as well. Supported tokens All the MFA tokens are divided into software and hardware kinds. The divide is derived from the secret key (seed) implementation. Since we are focused solely on Microsoft Outlook Exchange login here, we won’t delve into details on how 2FA works. But you can always read other articles on our blog for more info on various MFA specifics. For now let’s just mention the tokens Protectimus OWA two-factor authentication supports: Token Description Protectimus Slim NFC Hardware device that looks like a credit card. Programmable secret key. Which means — the token can be reprogrammed. 3-5 years battery life. Waterproof. $29.99/token. Protectimus TWO Hardware token, slightly bulkier than Slim NFC. Secret key is hardcoded, which means the token can be used for one app/website only. 3-5 years battery life. Waterproof. Shockproof. $11.99/item. Protectimus SMART OTP Software token — 2FA app for iOS and Android. Protected with PIN. Can be used on multiple apps/websites simultaneously. Free. Protectimus BOT Software token. OWA auth OTPs are delivered via chatbots in Telegram, Facebook Messenger, Viber. Free. Protectimus MAIL Software token. OTPs for OWA login are delivered via email. (The passwords have to be sent to different email clients, not OWA email) Free. Protectimus SMS Software token. OWA webmail login one-time passwords are sent via SMS. With the on-premise option, any SMS service can be employed. $2 per user...
read moreOATH Initiative – the Main Goals, Tasks, Ins & Outs
Providing our services, we often highlight that Protectimus is a coordinate partner of the OATH Initiative and that all our tokens and two-factor authentication software are OATH-certified. Not everybody is aware, however, of what the Initiative for Open Authentication (OATH) is and what its major goals are. That’s why we decided to clarify all the details concerning the OATH definition – its tasks, algorithms, and overall contribution to open authentication which is so important and useful today. OATH two-factor authentication service and tokens Table of contents: What is OATH?The Major Goals of the OATH InitiativeOATH Authentication AlgorithmsHOTPTOTPOCRAThe Efficiency & Importance of OATH Open Authentication What is OATH? In a nutshell, OATH – Initiative for Open Authentication – promotes the industry-wide implementation of strong authentication based on a single reference architecture that is developed jointly by the industry leaders using open standards. This will allow establishing strong authentication as a highly-available standard supported by any device in any network. In the long run, the Initiative can help significantly reinforce the security of users and service providers worldwide. What is OATH-certified? OATH certification, basically, means supporting the Initiative’s standards and creating cybersecurity solutions on the basis of these standards. Protectimus, for instance, offers a two-factor authentication solution that is fundamentally based on the principles of open authentication and uses the OATH authentication algorithm HOTP, TOTP, and OCRA. Now that we got the basic OATH meaning figured out, let’s discuss its major goals. | Read also: Identification, authentication, and authorization – what’s the difference The Major Goals of the OATH Initiative Being essentially a collaborative effort in advancing modern authentication principles and making them more secure and reliable, the Initiative for Open Authentication makes the whole process more cost-efficient and transparent. It simply makes two-factor authentication open-source. Any company can build its custom 2-factor authentication system based on a single standard that is highly reliable and backed up by the leading companies in the industry. The major goals of the Initiative can be listed as follows: making online transactions safer and more secure for both users and service providers through implementing two-factor authentication;enhancing the common security standards with a collaborative-based, open-source strong authentication standard;lowering the costs and efforts required for integrating strong authentication in user systems;making authentication devices such as OATH tokens, smart cards, etc. more common and accessible;turning existing mobile devices such as tablets, laptops, and smartphones into OATH software tokens;advocating the distribution of OATH two-factor authentication algorithms and software throughout numerous network endpoints, like Wi-Fi hotspots, servers, connected hardware, network switches, etc. | Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods OATH Authentication Algorithms Based on its universal goal of standardizing strong authentication, which includes the establishment of protocols, algorithms, and data/input formats of a single standard, OATH authentication requires the underlying “pushing” powers. The collaborative efforts thus spawned three fundamental RFCs (Request for Comments) that describe the respective algorithms for one-time password generation: RFC4226 for the event-based HOTP algorithm;RFC6238 for the time-based TOTP algorithm;RFC6287 for the challenge-response OCRA algorithm. OATH HOTP HOTP (HMAC based one-time password algorithm) is an algorithm aimed at generating one-time passwords based on the mix of a secret key (a shared value) with a counter (variable). A secret key consists of a line of symbols that the authenticating server shares...
read moreTOTP Algorithm Explained
Time-based one-time password algorithm (TOTP) is the focus of this post. But, before we delve deeper into the TOTP meaning, we’d like to mention the organization that is instrumental in the one-time password algorithms’ existence — OATH, or Open AuTHentication. OATH is a collaboration of all sorts of specialists, who made their mission to create a truly secure and universal network for all to use. We at Protectimus are proud to be a part of this collaborative effort. In this article, we will learn what OATH TOTP is. We will have a closer look at TOTP algorithm implementation and the work of the TOTP mode. Finally, we will provide a full list of Protectimus TOTP tokens designed for time based token authentication to help you choose the one that suits you best. Order programmable and classic TOTP tokens here Table of contents: What is TOTPTOTP background — HOTPTOTP vs HOTPTOTP synchronization problemProtectimus TOTP tokens What is TOTP algorithm We’ve already answered the “what does TOTP mean?” question above. But what is TOTP authentication? An uncomplicated answer is — it’s a 2-factor verification method that uses the time as a variable. Let’s expand on this a bit and unravel how TOTP authentication actually operates. TOTP algorithm (RFC 6238) implies that an OTP is a product of two parameters encrypted together. These are a common value, which is a shared secret key, or seed; and a variable, in this case – the running time. These parameters are encrypted with a hash function. Here’s a TOTP algorithm example to illustrate: A user wants to log into a TOTP 2FA protected application or website. For the OTP authentication to run, the user and the TOTP server need to initially share a static parameter (a secret key).When the client logs into the protected website, they have to confirm they possess the secret key. So their TOTP token merges the seed and the current timestep and generates a HASH value by running a predetermined HASH function. This value essentially is the OTP code the user sees on the token.Since the secret key, the HASH function, and the timestep are the same for both parties, the server makes the same computation as the user’s OTP generator.The user enters the OTP and if it is identical to the server’s value, the access is granted. If the results of the calculations aren’t identical, the access is, naturally, denied. To explain the above example a bit let’s note here that the mentioned seed is a string of random characters, usually 16–32 characters long. “Sharing” the key usually implies scanning a QR code that shows the seed generated by the server with the client’s TOTP app. Alternatively, the key is already programmed in their TOTP device. The timestep is calculated using UNIX time, which starts on January 1, 1970, UTC. The timesteps are to be 30 or 60 seconds, so the time value used for TOTP is the number of seconds run since 00:00 January 1, 1970, divided by 30, or 60. Finally, the mentioned HASH function is a cryptographic mathematic function that simply changes one value into another and usually shortens the result to 6-8 symbols. This result is what we called a HASH value above. All of this is specified in TOTP RFC. TOTP algorithm background — HOTP...
read moreOCRA Algorithm Explained
OCRA, or OATH challenge-response algorithm is the most reliable multi-factor authentication algorithm yet. OCRA algorithm is proved to be the safest one created by the OATH (OpenAuTHentication initiative) as it allows a challenge input to be used for one-time passcode generation alongside the secret key (seed) and a counter or time. The key difference of the challenge-response authentication algorithm from the older OATH algorithms HOTP and TOTP is the capability to identify the server. The end-user can be assured in the server authenticity, which significantly adds to the security. OCRA token is usually a keypad-style device or an app. As OCRA meaning might suggest, the algorithm utilizes a certain challenge and a response to it. So a notional challenge-response example would look something like this: the website or app, a client tries to log into, provides a code (this will be the challenge)the client needs to enter this code into the tokenwhich in its turn returns another code (this will be the response)the client then enters this response code to login. In this article, we will take a closer look at OCRA and its background, see in detail how it works and find out how Protectimus implements it. OCRA Background — HOTP & TOTP The challenge-response algorithm can be identified as an advanced HOTP, the logical next stage of its evolution. Here, instead of employing a counter like it’s done in HOTP, we can employ any data (including the time like in TOTP) as an authentication challenge. HOTP OATH has been working on OTP algorithms since 2004. The initial outcome of those efforts was the Hash-based Message Authentication Code OTP algorithm — HOTP, published as an IETF (Internet Engineering Task Force) project in 2005. HOTP algorithm allows generating one-time passwords by utilizing a secret key and a counter. The token’s counter scales up each time the button on the device is clicked, the server counter scales up with each validated OTP. We’ve already published an article on HOTP, so we won’t delve into details here. Suffice to say — the algorithm had a few drawbacks, plus the technology evolves very fast so new security challenges arise fast as well. So OATH continued its work in pursuit of the most trustworthy verification method. TOTP The next expansion was put out in 2008. Unlike HOTP, the new method, named Time-based One Time Password or TOTP for short, does not utilize a counter for the server-user synchronization but generates a password based on the current time. The advantage of the TOTP password is a limited lifetime, usually 30-60 seconds. The end-user’s TOTP token has a secret key and the current time value, these two are hashed with any hash function and the result hash value is truncated, that’s how we get a one-time password that should be sent to the server. The server in its turn has the same secret key as the user’s token and, naturally, the same time value. So the server makes the same calculations and compares the end values. | Read also: Time Drift in TOTP Hardware Tokens Explained and Solved OCRA Finally, in 2010 the OCRA authentication was presented in IETF RFC 6287. OCRA algorithm expanded TOTP further by introducing the challenge-response mode to calculate OTP values. The key difference of the challenge-response authentication from the older...
read moreTwo-Factor Authentication Solutions Comparison: Google Authenticator vs. Protectimus
People often ask us to compare the Protectimus two-factor authentication solutions with Google Authenticator and explain how we’re better. In this article, we’ll try to answer these questions. Firstly, keep in mind that Google Authenticator is only a one-time password generator app. One of our tokens, the Protectimus Smart OTP, works similarly to this app. However, in any authentication system, what really matters is not the OTP token that generates one-time passwords, but the server component that verifies them. Unlike Google Authenticator, Protectimus is a complex, complete two-factor authentication solution. After integrating it with your system, your employees’ and users’ accounts will be protected from unauthorized access, once and for all. When we get questions asking us to compare two-factor authentication solutions by Protectimus and Google Authenticator, we understand that the client is planning to develop a server component on their own, but they still aren’t sure. That’s why in this article we’ll also discuss the advantages of developing a 2FA server component independently, as well as the difficulties that it inevitably leads to. Sign up to Protectimus 2FA Service and get 25$ to your account Table of contents: How the two-factor authentication solutions are built What is Google Authenticator What is Protectimus The server component: SaaS or On-Premise OTP tokens: hardware or software Additional features of the Protectimus MFA solution Advantages and risks of developing your own server component In summary How the two-factor authentication solutions are built The foundation of all 2-factor authentication solutions is the MFA server. The server component is the part of the two-factor authentication system that verifies one-time passwords submitted by users in order to grant or deny access to a resource. Besides verifying OTPs, the server component may support additional data protection functionality. For example, the Protectimus two-factor authentication service makes it possible to restrict access based on a user’s geographical location, the time of the login attempt, and the user’s IP address. The second component that any two-factor authentication solution needs is MFA tokens (authenticators). These are devices that generate one-time passwords. Users need to keep these devices on hand in order to generate or receive codes when they log into their accounts. Authenticators come in all shapes and sizes (hardware, software, SMS, email, messaging service chatbots). One possible option is the Google Authenticator app. You can find out more about how HOTP, TOTP, and OCRA one-time passwords are generated and verified in this article. What is Google Authenticator Google Authenticator is one kind of MFA token: an app for generating one-time passwords based on the TOTP and HOTP algorithms. It’s available for free on Android and iOS. This is one of the components required for a two-factor authentication system, but it isn’t a complete system. Our OTP tokens are one-time code generators like Google Authenticator, they’re only one part of a solution for two-factor authentication, as a server that can verify the generated OTP codes is also required. By the way, we do support Google Authenticator, so you can use it with our 2FA service instead of using physical tokens. We also have our own, more advanced counterpart: the software authenticator Protectimus Smart OTP. To give you the whole picture: we also support other companies’ OTP tokens that adhere to the OATH standards, and we can send one-time codes via...
read moreHow to Transfer Google Authenticator to New iPhone
If you’re reading this, you have probably bought a new iPhone. Congratulations! Now, the question is how to transfer Google Authenticator to new iPhone so as not to lose access to all accounts you protect with multi-factor authentication. We’ll talk about Google Authenticator for iOS here, but the same works for Android smartphones. Though, if you need to move Google Authenticator from one Android smartphone to another, better use it’s in-built function Transfer Accounts. It allows you to switch Google Authenticator to a new phone in a few clicks moving all the tokens you use at once. Unfortunately, this function is available only on Android so far. And while we are waiting for the same update in the iOS Google Authenticator version, let’s figure out what methods of Google Authenticator transfer to a new iPhone are available to us now. The first thought of an average GA user is to simply delete the application from the old iPhone and set up Google Authenticator on new iPhone. However, it’s critical not to do this. Ensure you’ve moved all the OTP tokens to your new smartphone first. If you just delete the Google Authenticator app from the old iPhone and reinstall the application on the new one, your 2FA tokens will be deleted without the possibility to restore and you’ll have to face the complicated process of accounts recovery. On different websites, it’s a different procedure but don’t doubt that it is always long term and painful. Most likely, you’ll have to apply to the support center of every website and prove your identity. Use Protectimus Slim NFC token to backup Google Authenticator There is a simple way to transfer Google Authenticator to new iPhone, which is described below, but it works only for the 2FA token you use to access your Google Account. If you use iOS Google Authenticator to authenticate on other websites, you’ll have to switch off the 2-factor auth and then turn it on from scratch on these services enrolling new tokens in the new authenticator app manually. Of course, your old iPhone with Google Authenticator is required to login to all these accounts. Furthermore, sometimes you’ll be asked to enter the current OTP password to deactivate MFA. So don’t delete the app from the old phone until you transfer all the tokens from Google Authenticator to a new iPhone. How does Google Authenticator work At first, let’s understand the modus operandi of Google Authenticator for iPhone. This will help us to explain what to do to make the process of Google Authenticator transfer to new iPhone smooth and easy. And even more, knowing how the iPhone authenticator app works, you’ll understand how to backup Google Authenticator you use on iPhone. Google Authenticator generates time-based one-time passes using the Time-based One-time Password Algorithm (TOTP). It means that two parameters are used to generate the OTP code: a unique code, which is usually called a secret key or a seed, this code is shared between the token and the authentication server, and the current time interval. Time intervals are counted from UNIX time, which started at 00:00 on January 1, 1970. Thus, every 30 seconds Google Authenticator application divides the number of seconds from January 1, 1970, to 30, takes the resulting number, combines it with the seed,...
read moreRemote Work: How to Transition Team to Working From Home During the COVID-19 Pandemic
In this article, we’ve gathered everything you need to know about remote work. We share our own experiences and talk about how to organize remote access to company resources, how to protect the accounts of users who are working from home, what remote team working tools you can use for communicating and managing tasks, and how to keep in touch with your remote teams. Working remotely during the pandemic is not a mere trend. Today, with the number of people infected by the coronavirus that causes COVID-19 rising exponentially, and given that a cure or vaccine for the virus has yet to be discovered, the only means of fighting the epidemic is social distancing and learning how to work from home. Many countries have already implemented a quarantine. Airports, train stations, schools, restaurants, gyms, malls, beauty salons, and (in some cases) even parks and playgrounds have been closed. Concerts, lectures, and conferences have been postponed. In this situation, a majority of private and public entities have been forced to transition to having their employees work from home whenever feasible. We suggest that business owners view this transition to remote work as an opportunity to learn about new remote workplace software and optimize their resources. Facing an imminent economic crisis, we have to use all the means at our disposal to adapt to difficult market conditions and press onward. In this context, particular attention must be given to the topic of cyber security and risk management. Remote network connections are an additional avenue of attack for would-be intruders. We’ll tell you what you should be afraid of, what basic cybersecurity tips and rules you should implement for remote workers, and how to secure remote desktop connection to workplace computers. Two-factor authentication for Windows and RDP Table of contents: Where do I start?Setting up remote accessConnecting to a remote desktop over RDPSetting up two-factor authentication for VPNSetting up two-factor authentication for RDPEssential tools for remote workCloud services for collaborationMessaging appsTask managers and CRMVideo calling, presentation, and conferencing toolsIT security threats when working remotelyConfidential information can be leakedMalware can compromise corporate networksUnauthorized users can gain access to company networksCybersecurity when working from homeProtecting remote connectionTwo-factor authenticationChoosing OTP tokensSecurity policies Where do I start? Think about the technology employees will use to work remotely. If people use company laptops, they can take these home with them during the quarantine. If employees use desktop computers, you’ll need to set up remote access to these computers.Take care to protect remote connections and user accounts on company computers. Be sure that employees set secure passwords and activate two-factor authentication for all the services they use to do their work. Enable two-factor authentication for Windows and Microsoft RDP.Prepare a remote working software package for communicating, working with documents, tracking tasks, and holding presentations online. Most likely, you’re already using tools in most of these categories. If something is missing, you’ll need to choose team software and install it on all your employees’ computers.Maintain security policies for working from a computer at home. Hold mandatory training on the basics of IT security and come up with a remote work policy. Some of your employees may not know what phishing, malvertising, and social engineering are, why they shouldn’t connect to an unknown Wi-Fi network, and why they shouldn’t save...
read moreHOTP Algorithm Explained
HOTP algorithm, or HMAC based one-time password algorithm, was first published by OATH as RFC 4226 back in 2005. What is OATH? OATH or Initiative for Open AuTHentication is an organization which specified, put together and published the OATH OTP algorithms that lie at the heart of MFA (multi-factor authentication). It is time we look closely at these algorithms, specifically — OATH-HOTP. HOTP algorithm is what allows creating one-time passwords by utilizing a secret key and a counter. Today we will look at how OTP works, what role HMAC algorithm plays in it and look at both what is HOTP and TOTP. HOTP and TOTP tokens to your choice A table of contents for your convenience: What does OTP meanWhat is HMACWhat is hashWhat is MACSo what is HMACWhat is HOTPHOTP synchronization problemHOTP security problemHOTP vs TOTPProtectimus tokens with HOTP algorithm What does OTP mean First, let’s discuss the OTP meaning. One time or one-time password is usually a string of randomly generated digits that works for one login or transaction only. These dynamic passwords, unlike the static ones, are hard to bypass or hack, since the hacker will need access to both something you have (OTP generating device, like cellphone or hardware token) and something you know (like pin code). OTPs are the best protection against such common hacks as phishing, bruteforce, keyboard logging, man-in-the-middle attacks. Here’s an OTP password example: What is HMAC What is hash Hash is the mathematical algorithm used by HMAC-based one-time passwords. Simply put — it is a math function that turns one value into another, or condenses data to a specific size. Here’s an example. If this passage was run through a hashing algorithm: the result, known as a hash value (SHA-1, hex), would be this: 2faff97be86cbbf921b8e5b9e1c74b82af080016 At the same time, if we change the slightest detail in the source text, for example, remove quotation marks, the hash value will be completely different: D0f8e2703fb647ce0504f6222c04f473f9f88a94 No matter what the volume of the source information is, be it a Moby-Dick or just a phone number, its hash value is always a string of symbols of a predetermined size. Comparing a hash and the hash value is far easier for a computer than comparing original files. So the hash value from the example would be a convenient tool for a computer to compare, identify or run calculations against data and files. Hashing is used for a variety of purposes, among them is compression, cryptography, data indexing, checksum generation. Also, it’s impossible to decode the source information from the hash, what differs hashing from encryption. Thus, it is an especially good fit for cybersecurity purposes. | Read also: Identification, authentication, and authorization – what’s the difference What is MAC Message Authentication Code, or MAC, is a crypto checksum for data transferred through insecure channels. With MAC applied the receiving party can verify the authenticity of the message simply by establishing that the sender has the secret key. In case the sender does not have the correct seed, the MAC value would be wrong and the recipient would know the message was not sent from the legitimate sender. First of all, the sender and the recipient share a secret key (also called a seed) and agree to use the same MAC generation algorithm. Before sending the message,...
read more