Today most enterprise networks, require only a user name and static password to access personal and sensitive data. This type of single-factor authentication is very convenient, however, it’s not very secure in our modern world. Most people understand that they should use unique passwords for every online account, however, 69% of us use the same password anyway. 47% of people use a password that’s more than 5 years old and the most commonly used password, (used by a staggering 17% of people) is ‘123456’ – an eye-watering 95 Percent of People Share Up To 6 Passwords with their friends. Even if your end-users are good with passwords (they use a different strong password for every online account and never write them down anywhere) they can still be compromised by keylogging malware or man-in-the-middle attacks. So how do you protect yourself and your company’s most valuable assets from poor password hygiene or electronic eavesdropping? One way is to use ‘one-time passwords’ – disposable passwords that are only valid ‘one time’.
One-time passwords are passwords that are only valid for one login session or transaction, therefore providing protection against various password-based attacks, specifically password sniffing and replay attacks. Typically a one-time password is a series of numbers or characters that are generated automatically. For this system to work the password has to change every time it’s used, but there also needs to be some sort of synchronisation between the ever-changing password, the computer system or application being used, and the end-user. This synchronization also needs to take place without transmitting any data via insecure methods such as email.
One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.
One approach to generating one-time passwords is to use time synchronization. Each user has a personal token (which might look like a small calculator or a keychain) with a display that shows a number that changes occasionally. Inside the personal token is a clock that’s been synchronized with the clock on the proprietary authentication server. The device and the application server both generate new one-time passwords based on a numeric version of the current time.
Time synchronised passwords don’t always have to be a perfect match and typically there’s a window where older or newer passwords will be accepted. This is done simply because it takes humans a bit of time to read and enter the OTP, so, for example, it would be unusual for a password to change every second, as the end user would not have enough time to enter the password before it becomes invalid.
The password itself is usually a hash of the current time – e.g. 16.43 becomes 1643, which is then run through a code generator and a mathematical process called a hash function (or hash code) to generate a unique 10-digit code, which is the one-time password. Time is, therefore, an important part of the password algorithm, since the generation of new passwords is based on the ‘current time’. If the clocks get too far out of step, the token won’t generate correct passwords and will need to be reset. To avoid the problem of different time zones a Unix timestamp can be used, which is a coordinated universal time.
The second method involves the computer system and the token starting with the same shared number (called a seed). Each time a new password is generated the token device increments its own internal counter, and each time you actually log in, the server also then increments it’s counter.
It’s possible to get out of step by generating passwords that aren’t used, resulting in the counter in the token advancing more than the counter on the application server. However tolerance is usually created so that things can be a little bit out of sync, and the server will (usually) automatically re-synchronize in the event that it becomes out of step. This OTP technique is called lock-step or counter synchronization, and although proprietary hardware is still required it doesn’t suffer from the disadvantage of having to keep clocks in time.
The third approach is completely different. Instead of two devices being independently responsible for their own passwords (which are then compared for validity), passwords are randomly generated by the authentication server. As this password is completely random it’s not possible for a token device to automatically stay in step, therefore the one-time password needs to be actively communicated to the end-user.
These type of disposable passwords are often referred to as “SMS-OTP” as they are most commonly sent by text message, but they can also be generated by an app or handheld electronic device (called a security token) or in some cases they may even be printed out and sent by post. When you want to authenticate, the system sends your password to you and you use the password to log in. One of the huge advantages of this method is that it eliminates the need to provide and maintain proprietary hardware.
One-time passwords can be communicated to end-users in several ways and each one has trade-offs in term of security, convenience, and cost.
This method requires a reliable, high-quality SMS service. Once the user completes the correct username and password during login, a text message with an OTP is triggered, which is sent to the mobile number registered to the user’s account. The user then completes the authentication process by entering the code displayed in the SMS message into the application login screen. End-users are usually allowed a certain time period before the password expires.
An alternative to SMS is Voice, which uses an existing landline or cell-phone to receive a spoken password as a phone call on the user’s landline or mobile number. Advantages to this method are that passwords are not stored on the user’s phone, plus it allows you to reach users with limited sight. However, there’s a cost per usage associated with this solution and it requires an already established landline or mobile number to function. Passwords are also limited to short character strings otherwise transferring the password from the call to the login screen becomes difficult for the user, or requires multiple attempts to get a match.
If an email account is enrolled alongside a user account, one time passwords can be sent to an email address for authentication during login. Email delivery for one time passwords is a cost-effective option, however, security and usability may be sacrificed. Email wasn’t intended to be the centre of our digital lives in the way that it is now, so it wasn’t designed with any security or privacy in mind. 91% of all cyber attacks start with email, and it’s the least secure method for Two-factor authentication. It’s also dependent on users having consistent access to an email account. Users may also incur password reset requests and time-outs as they try to access their email account in order to gain access to the OTP.
A mail-based system works in essentially the same way as other messaging systems, but the password takes longer to be communicated to the end user. The validity of the password is therefore extended to allow for delays in transit. Some banks will send long printed lists of one-time passwords (called transaction authentication numbers or TANs), to organisations for them to use in business banking. The bank has a matching list of passwords stored on its computer system and passwords have to be used in sequence to ensure a match.
Lists and number grids offer cost-effective solutions for one time passwords, but they’re slow and not very user-friendly. The user has to maintain a list of password that often has to be used in sequence, plus if your list of passwords is copied or falls into the wrong hands, them someone has all your passwords.
One-time passwords via Push are similar to SMS based one-time passwords, however, this time the automatically generated password is sent as a push notification to an App on the user’s device. Once the push notification has been sent to the app, the user then copies the code to the login screen to verify their identity. Push notification is the most cost-effective solution as it uses an existing device (e.g. the users’ mobile device) and does not incur the costs of SMS messaging. It’s also one of the most secure solutions, plus its user-friendly. With modern mobile phones, you can even include a third authentication factor such as a biometric scan (e.g. fingerprint scan) to ensure really tight security. The downsides are pretty minimal too – push notifications require a dedicated app and application access is subject to cell phone loss.
You can combine the strengths of SMS and push messaging and use a hybrid system. The password is initially sent by push notification which is fast and cost-effective, but if your user doesn’t have your app installed or is offline, the password can be sent via SMS. You could also add a third fallback option of having the password delivered via voice if push and SMS have failed for some reason. Your default password delivery method can be whatever is most effective in keeping your costs down, but by using a hybrid solution you ensure that users can always gain access to your app, which in turn promotes better app engagement.
The average business user has 191 passwords and types an average of 8 different passwords per day. More often than not, this results in your end-users either using the same passwords for multiple accounts, writing their passwords down on post-it notes or bombarding your IT helpdesk with password reset requests – on average, password reset requests make up 10%–30% of all IT helpdesk calls.
Two-factor authentication is especially important when it comes to protecting enterprise data from cybercrime and fraud. The most important advantage addressed by one-time passwords is that, in contrast to static passwords, they’re not vulnerable to replay attacks. Two-factor Authentication (in the form of one-time passwords), hardens a traditional user ID and static password system by adding another, dynamic credential. Even if your users are using the same (or similar) password for every system, your system is made less vulnerable as it’s unlikely that both layers of security would be compromised by a hacker. There’s also a third available factor, e.g. fingerprints, retina scan, voiceprint, face recognition, etc, that can be used to add another layer of security. It stands to reason that the more factors that are required to authenticate, the more secure your systems will be.
On the downside, strong one-time passwords are difficult for human beings to memorize, therefore, they require additional technology to work. For OTP systems that rely on lock-step or counter synchronisation, password generators must cope with the situation where an electronic token drifts out-of-sync with its server, which leads to additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift).
The cheapest (and best) solutions are those that deliver one-time passwords without the costs associated with proprietary hardware. Simple methods such as manually generated lists or number grids offer low-cost solutions, but they are slow and difficult to maintain. Users are required to carry a list of passwords around and keep track of where they are in the list. Plus if the list falls into the wrong hands then someone has all of your passwords. The best solutions, therefore, use an existing device, (e.g. mobile phone) and deliver one-time passwords without the costs associated with SMS messaging (i.e. push notification).
To keep your corporate data safe, you need to know how to generate secure one-time passwords for strong two-factor or multi-factor authentication. You also then need to know how to distribute one time passwords to clients or employees, so that the system you’ve created isn’t vulnerable to attack. Talk to a security expert like 10Duke to find out how to implement secure two-factor or multi-factor authentication, to keep your employees and your applications secure.