The use of one-time passwords
Amid the constantly growing online business segment, data protection has to be particularly reliable. If you still can ‘survive’ the hacking of your personal page on social networks (though it’s extremely unpleasant too), the loss of business information can lead not only to the loss of reputation and income but even to the closure of the company.
One of the most defenseless points in the information security is the reliable user authentication of everyone attempting to access his or her account on a particular website.
Common reusable passwords are well known to everyone and are pretty useless at the present level of hacker threats. They are unable to withstand the pressure of attackers, equipped with such ‘tools’ as keyloggers, interception of the data, and methods of social engineering. Much higher level of protection can be provided by using one-time passwords.
How one-time passwords are generated
The most convenient and secure one-time passwords generation tool at the present moment is a token. It can be either a software token – an application for a tablet or Android/iOS smartphone or hardware token in the form of USB flash drive, trinket or credit card. For extra protection, each token can function along with the PIN-code, which should be used while entering the one-time password.
One-time passwords are usually generated by using one of three algorithms:
- HOTP – HMAC-based one-time password algorithm. Server and OTP token keep count the number of authentication procedures performed by the user, and then generate the password, using this number in the calculations. The mismatch in the calculations between the server and the token may cause a problem. Such situation is possible, for example, if the user repeatedly presses the button for generation of an OTP password and doesn’t use the password later.
- TOTP – time-based one-time password algorithm. In this case, the password is created taking into account the internal clock of the token. TOTP is convenient, because the time of OTP password’s functioning is limited, which means it can’t be created in advance or used after the expiration term.
- OCRA – OATH challenge-response algorithm. This is a very reliable algorithm, assuming, however, a bit more steps than the previous ones. The mutual authentication of the user and the server occurs during its work. Unlike other algorithms, it uses a random number issued by the server as an input.
It is worth mentioning that if you use the TOTP and OCRA algorithms, sort term passwords are produced, which significantly complicates the process of hacking.
The tokens provided by Protectimus use all three algorithms. Protectimus ONE and Protectimus Slim tokens generate passwords according to TOTP algorithm, but particularly reliable Protectimus ULTRA tokens create the most secure OTP algorithm by using OCRA.
Threats and risks of using one-time passwords
- Interception of the OTP password. In this situation, which is often called ‘a man in the middle attack’, a hacker intercepts the authorized password and authorizes in the system. To avoid this, you can use 2FA with data signing function (CWYS), available in Protectimus SMART token. It allows considering not only the password, but also some other parameters of the particular transaction during the authentication: place of the access to the network, browser, system language, and so on.
- Loss of the token. In order not to shed bitter tears in the case of loss or theft of the token, you should foresee an obligatory use of PIN-code at the time of using the device.
- Attempts to hack the PIN-code. The solution, in this case, is special settings according to which the OTP token will be blocked if the wrong PIN is repeatedly entered.
- Hacking of software token. A hacker can copy the software token and attempt to find the secret key used to generate the OTP. A method of protection is the use of the PIN-code as one of the values in the generation of the one-time password. Thus, even knowing the secret key, a hacker can’t create a password, because PIN-code is not stored in the software token.
- A villain among the friends. The sad situation can take place, when a malefactor and a person, who releases two-factor authentication tokens is the same person. Such person can create duplicates of software authentication tokens and use them to log in under the name of the legitimate user. To prevent this, the user must take part in the process of activating the software token.
It is undeniable that the two-factor authentication with the help of OTP tokens, which generate the one-time passwords, is the best authentication method nowadays. It allows you to eliminate the risks associated with the use of a standard password authentication and reliably protect the data of companies and individual users.