The Protectimus Crystal hardware OTP token is a freestanding device, so it doesn’t require a network connection. One-time passwords are generated using the TOTP algorithm with two parameters: a secret key hard-coded into the token, and a variable (the current time value). The secret key and time are known to the authentication server. The two-factor authentication server verifies the one-time password generated by the token against the OTP generated by the server using the same data. If the one-time passwords match, authentication is successful.
Apart from hardware OTP tokens, SMS, email, iOS and Android apps, and messaging services are commonly used for delivering and generating one-time passwords. But all these MFA approaches have vulnerabilities: one-time passwords can be intercepted during delivery, such as by compromising a cellular network or using a virus installed on a mobile device. Hardware one-time password generators are isolated, excluding both of these threats. Tokens cannot be infected by viruses, and one-time passwords aren’t delivered — the OTP token itself generates them.
TOTP tokens generate one-time passwords based on a secret key and the current time. The TOTP password generation algorithm replaces HOTP and is more secure. Under the HOTP algorithm, one-time passwords are generated based on a secret key and an event counter whose value increases in increments of one. In this manner, an attacker can generate and write down several OTPs in advance. OTPs generated by a TOTP token are valid for only 60 seconds. These one-time passwords cannot be generated in advance.
Protectimus Crystal OTP authentication tokens meet OATH standards. The Protectimus Crystal is a reliable hardware TOTP token that is resistant to moisture and dust, and immune to cyberattacks. These authentication tokens work for about 5 years. One-time passwords are generated without a network connection, so Protectimus Crystal authentication tokens cannot be infected by viruses and one-time passwords cannot be intercepted. Even if an attacker presses the button on the OTP token and receives a one-time password while nobody is looking, the one-time password will be valid for only 30 or 60 seconds. It is impossible to generate several OTPs in advance.
You can buy the Protectimus Crystal to use it with the Protectimus two-factor authentication system, or with any other multifactor authentication server that works according to OATH standards. The Protectimus Crystal TOTP authentication token comes with a hard-coded secret key that cannot be changed. The Protectimus Crystal security token features a compact form factor (it’s the smallest key fob OTP token), but it’s equipped with a large, convenient LCD display that makes it easy for even those with poor eyesight to read one-time passwords.