Beginner’s Guide to REST API and GRAPH API9th January 2019
Managing Concurrency – How the Big Guns Do It9th January 2019
One-time Passwords (OTP): A Beginner’s Guide 2023
One-time password or an OTP is a password that is only valid one time. One-time password can be used to enhance security and support strong authentication. This article will explain the basics of one-time passwords and how they can be implemented.
Today most enterprise networks require only a user name and static password to access personal and sensitive data. This type of single-factor authentication is very convenient, however, it’s not very secure in our modern world. Most people understand that they should use unique passwords for every online account. Yet, 69% of us use the same password anyway.
Moreover, 47% of people use a password that's more than 5 years old and the most commonly used password, is '123456' – used by a staggering 17% of people. What's even worse, an eye-watering 95 Percent of People Share Up To 6 Passwords with their friends.
Even if your end-users are good with passwords (they use a different strong password for every online account and never write them down anywhere) they can still be compromised by keylogging malware or man-in-the-middle attacks. So how do you protect yourself and your company's most valuable assets from poor password hygiene or electronic eavesdropping? One way is to use a ‘one-time password’ - a disposable password that is only valid ‘one time’.
What does one-time password mean?
One-time passwords are examples of passwords that are only valid for one login session or transaction, therefore providing protection against various password-based attacks, specifically password sniffing and replay attacks. An example of a One-time password is a password with a series of numbers or characters that are generated automatically.
For this system to work the password has to change every time it's used, but there also needs to be some sort of synchronisation between the ever-changing password, the computer system or application being used, and the end-user. This synchronization also needs to take place without transmitting any data via insecure methods such as email.
How are one-time passwords synchronized?
One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.
1. Time synchronization
One approach to generating one-time passwords is to use time synchronization. Each user has a personal token (which might look like a small calculator or a keychain) with a display that shows a number that changes occasionally. Inside the personal token is a clock that’s been synchronized with the clock on the proprietary authentication server. The device and the application server both generate new one-time password based on a numeric version of the current time.
Time synchronised passwords don’t always have to be a perfect match and typically there’s a window where older or newer passwords will be accepted. This is done simply because it takes humans a bit of time to read and enter a one-time password, so, for example, it would be unusual for a password to change every second, as the end user would not have enough time to enter the password before it becomes invalid.
The password itself is usually a hash of the current time - e.g. 16.43 becomes 1643, which is then run through a code generator and a mathematical process called a hash function (or hash code) to generate a unique 10-digit code, which is the one-time password.
Time is, therefore, an important part of the password algorithm, since the generation of new passwords is based on the ‘current time’. If the clocks get too far out of step, the token won't generate correct passwords and will need to be reset. To avoid the problem of different time zones a Unix timestamp can be used, which is a coordinated universal time.
The second method involves the computer system and the token starting with the same shared number (called a seed). Each time a new password is generated the token device increments its own internal counter, and each time you actually log in, the server also then increments it's counter.
It’s possible to get out of step by generating passwords that aren’t used, resulting in the counter in the token advancing more than the counter on the application server. However, tolerance is usually created so that things can be a little bit out of sync, and the server will (usually) automatically re-synchronize in the event that it becomes out of step.
This OTP technique is called lock-step or counter synchronization, and although proprietary hardware is still required it doesn't suffer from the disadvantage of having to keep clocks in time.
3. Transmission-based OTP
The third approach is completely different. Instead of two devices being independently responsible for their own passwords (which are then compared for validity), passwords are randomly generated by the authentication server. As this password is completely random it’s not possible for a token device to automatically stay in step, therefore the one-time password needs to be actively communicated to the end-user.
These types of disposable passwords are often referred to as "SMS-OTP" as they are most commonly sent by text message, but they can also be generated by an app or handheld electronic device (called a security token) or in some cases they may even be printed out and sent by post. When you want to authenticate, the system sends your password to you and you use the password to log in. One of the huge advantages of this method is that it eliminates the need to provide and maintain proprietary hardware.
How are one-time passwords transmitted?
1. One-time password via SMS message
This method requires a reliable, high-quality SMS service. Once the user completes the correct username and password during login, a text message with a one-time password is triggered, which is sent to the mobile number registered to the user's account. The user then completes the authentication process by entering the code displayed in the SMS message into the application login screen. End-users are usually allowed a certain time period before the password expires.
2. One-time password via Voice
An alternative to SMS is Voice, which uses an existing landline or cell-phone to receive a spoken password as a phone call on the user's landline or mobile number. Advantages to this method are that passwords are not stored on the user's phone, plus it allows you to reach users with limited sight. However, there’s a cost per usage associated with this solution and it requires an already established landline or mobile number to function.
Passwords are also limited to short character strings otherwise transferring the password from the call to the login screen becomes difficult for the user, or requires multiple attempts to get a match.
3. One-time password via Email
If an email account is enrolled alongside a user account, one time passwords can be sent to an email address for authentication during login. Email delivery for one time passwords is a cost-effective option, however, security and usability may be sacrificed. Email wasn’t intended to be the centre of our digital lives in the way that it is now, so it wasn’t designed with any security or privacy in mind.
91% of all cyber attacks start with email, and it’s the least secure method for Two-factor authentication. It's also dependent on users having consistent access to an email account. Users may also incur password reset requests and time-outs as they try to access their email account in order to gain access to the one-time password.
4. One-time password via post
A mail-based system works in essentially the same way as other messaging systems, but the password takes longer to be communicated to the end user. The validity of the password is therefore extended to allow for delays in transit. In banking some banks will send long printed lists of one-time passwords (called transaction authentication numbers or TANs), to organisations for them to use in business banking. The bank has a matching list of passwords stored on its computer system and passwords have to be used in sequence to ensure a match.
Lists and number grids offer cost-effective solutions for one-time passwords, but they’re slow and not very user-friendly. The user has to maintain a list of password that often has to be used in sequence, plus if your list of passwords is copied or falls into the wrong hands, them someone has all your passwords.
5. One-time password via Push notification
One-time passwords via Push are similar to SMS based one-time passwords, however, this time the automatically generated password is sent as a push notification to an App on the user’s device. Once the push notification has been sent to the app, the user then copies the code to the login screen to verify their identity. Push notification is the most cost-effective solution as it uses an existing device (e.g. the users' mobile device) and does not incur the costs of SMS messaging.
It's also one of the most secure solutions, plus its user-friendly. With modern mobile phones, you can even include a third authentication factor such as a biometric scan (e.g. fingerprint scan) to ensure really tight security. The downsides are pretty minimal too - push notifications require a dedicated app and application access is subject to cell phone loss.
6. Hybrid one-time password (the best of both worlds)
You can combine the strengths of SMS and push messaging and use a hybrid system. The password is initially sent by push notification which is fast and cost-effective, but if your user doesn’t have your app installed or is offline, the password can be sent via SMS. You could also add a third fallback option of having the password delivered via voice if push and SMS have failed for some reason.
Your default password delivery method can be whatever is most effective in keeping your costs down, but by using a hybrid solution you ensure that users can always gain access to your app, which in turn promotes better app engagement.
The average business user has 191 passwords and types an average of 8 different passwords per day. More often than not, this results in your end-users either using the same passwords for multiple accounts, writing their passwords down on post-it notes or bombarding your IT helpdesk with password reset requests - on average, password reset requests make up 10%–30% of all IT helpdesk calls.
Two-factor authentication is especially important when it comes to protecting enterprise data from cybercrime and fraud. The most important advantage addressed by OTPs is that, in contrast to static passwords, they’re not vulnerable to replay attacks.
Two-factor Authentication (in the form of one-time passwords), hardens a traditional user ID and static password system by adding another, dynamic credential. Even if your users are using the same (or similar) password for every system, your system is made less vulnerable as it’s unlikely that both layers of security would be compromised by a hacker.
There's also a third available factor, e.g. fingerprints, retina scan, voiceprint, face recognition, etc, that can be used to add another layer of security. It stands to reason that the more factors that are required to authenticate, the more secure your systems will be.
Click here for our guide on Strong Customer Authentication (SCA), a requirement for online payments by the end of 2020.
On the downside, strong one-time passwords are difficult for human beings to memorize, therefore, they require additional technology to work. For OTP systems that rely on lock-step or counter synchronisation, OTP password generators must cope with the situation where an electronic token drifts out-of-sync with its server, which leads to additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift).
The cheapest (and best) solutions are those that deliver One-Time Passwords without the costs associated with proprietary hardware. Simple methods such as manually generated lists or number grids offer low-cost solutions, but they are slow and difficult to maintain. Users are required to carry a list of passwords around and keep track of where they are in the list.
Plus, if the list falls into the wrong hands then someone has all of your passwords. The best solutions, therefore, use an existing device, (e.g. mobile phone) and deliver one-time passwords without the costs associated with SMS messaging (i.e. push notification).
Click here to read our thoughts on Password Sharing (we know you're guilty of this too!)
To keep your corporate data safe, you need to know how to generate secure one-time passwords for strong two-factor or multi-factor authentication. You also then need to know how to distribute one-time passwords to clients or employees, so that the system you’ve created isn’t vulnerable to attack. Talk to a security expert like 10Duke to find out how to implement secure two-factor or multi-factor authentication, to keep your employees and your applications secure.
Are you a software developer looking to sell more? Learn more from our guides:
You might also be interested in:
One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.