Beginner’s Guide to REST API and GRAPH API9th January 2019
Managing Concurrency – How the Big Guns Do It9th January 2019
One-time password or an OTP is a password that is only valid one time. A one-time password is a form of authentication that can be used to enhance security and support strong authentication. This article will explain the basics of one-time password solutions and how ISVs can implement them in order to enhance a user’s security and support strong authentication.
Today most enterprise networks require only a user name and static password to access personal and sensitive data. This type of single-factor authentication is very convenient, however, it’s not very secure in our modern world. Most people understand that they should use unique passwords for every online account. Yet, 69% of us use the same password anyway and 95% of people share up to 6 passwords with their friends.
Even if your end-users are good with passwords (they use a different strong password for every online account and never write them down anywhere) they can still be compromised by keylogging malware or man-in-the-middle attacks.
To protect yourself and your company's most valuable assets from poor password hygiene or electronic eavesdropping, a one-time password can be used, which is a disposable password that is only valid ‘one time’.
What is a one-time password (OTP)?
One-time password solutions are examples of passwords that are only valid for one login session or transaction, therefore providing protection against various password-based attacks, specifically password sniffing and replay attacks. An example of a one-time password authenticator is a password with a series of numbers or characters that are generated automatically.
For this system to work the password has to change every time it's used, but there also needs to be some sort of synchronisation between the ever-changing password, the computer system or application being used, and the end-user. This synchronization also needs to take place without transmitting any data via insecure methods such as email.
OTP vs Static Password
Another form of password is a static password, this is another common form of password that requires the user to create their own password and remember it when they wish to log in. It’s a password that remains the same, and if the user forgets their password they will not be able to log in and most likely will need to reset their password or need an IT support team in order to gain access.
The biggest issue with Static Passwords is that they can be highly susceptible to phishing and brute force attacks. Unfortunately, Static Passwords need to be strong and the same password shouldn’t be used for different logins, however users tend to not have the best password hygiene. Because of this, these users are much more vulnerable to hackers.
Benefits of OTP
For the end-user
The biggest and most obvious benefit of an OTP is the fact that it reduces the chance of being hacked or digitally attacked, when compared to a static password that doesn’t change. Additionally, it prevents repeat attacks as an OTP isn’t valid for future use or logins. One-time passwords can help you feel secure, even if you are accessing your data on a public computer, or whilst you are on an unsecured WiFi network.
For the software provider
In our blog about Strong Passwords, we mention that one of the best forms of password hygiene is for end-users to not use the same password on multiple sites. However remembering multiple passwords can be difficult, and at times they will need to reset their passwords and might even need help from IT support to gain access to their accounts. However, OTPs help businesses reduce the need for manual admin and improve security. This helps businesses, as IT teams can focus on other parts of the business, and it can help users as the process of gaining access to an account with an OTP is much faster than resetting a password.
How are one-time passwords synchronized?
OTPs can be generated in several ways and each one has trade-offs in terms of security, convenience, and cost.
1. Time synchronization
One approach to generating OTPs is to use time synchronization. Each user has a personal token (which might look like a small calculator or a keychain) with a display that shows a number that changes occasionally. Inside the personal token is a clock that’s been synchronized with the clock on the proprietary authentication server. The device and the application server both generate a new one-time password based on a numeric version of the current time.
Time synchronised passwords don’t always have to be a perfect match and typically there’s a window where older or newer passwords will be accepted. This is done simply because it takes humans a bit of time to read and enter a one-time password, so, for example, it would be unusual for a password to change every second, as the end user would not have enough time to enter the password before it becomes invalid.
The password itself is usually a hash of the current time - e.g. 16.43 becomes 1643, which is then run through a code generator and a mathematical process called a hash function (or hash code) to generate a unique 10-digit code, which is the OTP.
Time is, therefore, an important part of the password algorithm, since the generation of new passwords is based on the ‘current time’. If the clocks get too far out of step, the token won't generate correct passwords and will need to be reset. To avoid the problem of different time zones a Unix timestamp can be used, which is a coordinated universal time.
The second method involves the computer system and the token starting with the same shared number (called a seed). Each time a new password is generated the token device increments its own internal counter, and each time you actually log in, the server also then increments it's counter.
It’s possible to get out of step by generating passwords that aren’t used, resulting in the counter in the token advancing more than the counter on the application server. However, tolerance is usually created so that things can be a little bit out of sync, and the server will (usually) automatically re-synchronize in the event that it becomes out of step.
This OTP technique is called lock-step or counter synchronization, and although proprietary hardware is still required it doesn't suffer from the disadvantage of having to keep clocks in time.
3. Transmisson-based OTP
The third approach is completely different. Instead of two devices being independently responsible for their own passwords (which are then compared for validity), passwords are randomly generated by the authentication server. As this password is completely random it’s not possible for a token device to automatically stay in step, therefore the one-time password authenticator needs to be actively communicated to the end-user.
These types of disposable passwords are often referred to as "SMS-OTP" as they are most commonly sent by text message, but they can also be generated by an app or handheld electronic device (called a security token) or in some cases they may even be printed out and sent by post. When you want to authenticate, the system sends your password to you and you use the password to log in. One of the huge advantages of this method is that it eliminates the need to provide and maintain proprietary hardware.
How are one-time passwords transmitted?
1. One-time password via SMS message
This method requires a reliable, high-quality SMS service. Once the user completes the correct username and password during login, a text message with a OTP is triggered, which is sent to the mobile number registered to the user's account. The user then completes the authentication process by entering the code displayed in the SMS message into the application login screen. End-users are usually allowed a certain time period before the password expires.
2. One-time password via Voice
An alternative to SMS is Voice, which uses an existing landline or cell-phone to receive a spoken password as a phone call on the user's landline or mobile number. Advantages to this method are that passwords are not stored on the user's phone, plus it allows you to reach users with limited sight. However, there’s a cost per usage associated with this solution and it requires an already established landline or mobile number to function.
Passwords are also limited to short character strings otherwise transferring the password from the call to the login screen becomes difficult for the user, or requires multiple attempts to get a match.
3. One-time password via Email
If an email account is enrolled alongside a user account, one-time passwords can be sent to an email address for authentication during login. Email delivery for one-time passwords is a cost-effective option, however, security and usability may be sacrificed. Email wasn’t intended to be the centre of our digital lives in the way that it is now, so it wasn’t designed with any security or privacy in mind.
94% of malware is delivered via email, and it’s the least secure method for Two-factor authentication. It's also dependent on users having consistent access to an email account. Users may also incur password reset requests and time-outs as they try to access their email account in order to gain access to the one-time password.
4. One-time password via post
A mail-based system works in essentially the same way as other messaging systems, but the password takes longer to be communicated to the end-user. The validity of the password is therefore extended to allow for delays in transit. In banking some banks will send long printed lists of one-time passwords (called transaction authentication numbers or TANs), to organisations for them to use in business banking. The bank has a matching list of passwords stored on its computer system and passwords have to be used in sequence to ensure a match.
Lists and number grids offer cost-effective solutions for OTPs, but they’re slow and not very user-friendly. The user has to maintain a list of passwords that often has to be used in sequence, plus if your list of passwords is copied or falls into the wrong hands, then someone has all your passwords.
5. One-time password via Push notification
One-time passwords via Push are similar to SMS based one-time passwords, however, this time the automatically generated password is sent as a push notification to an App on the user’s device. Once the push notification has been sent to the app, the user then copies the code to the login screen to verify their identity. Push notification is the most cost-effective solution as it uses an existing device (e.g. the users' mobile device) and does not incur the costs of SMS messaging.
It's also one of the most secure solutions, plus it's user-friendly. With modern mobile phones, you can even include a third authentication factor such as a biometric scan (e.g. fingerprint scan) to ensure really tight security. The downsides are pretty minimal too - push notifications require a dedicated app and application access is subject to cell phone loss.
6. Hybrid one-time password (the best of both worlds)
You can combine the strengths of SMS and push messaging and use a hybrid system. The password is initially sent by push notification which is fast and cost-effective, but if your user doesn’t have your app installed or is offline, the password can be sent via SMS. You could also add a third fallback option of having the password delivered via voice if push and SMS have failed for some reason.
Your default password delivery method can be whatever is most effective in keeping your costs down, but by using a hybrid solution you ensure that users can always gain access to your app, which in turn promotes better app engagement.
KnowBe4 reports that an employee manages about 200 passwords, and it also reports that on average an employee may have 27 passwords. More often than not, this results in your end-users either using the same passwords for multiple accounts, writing their passwords down on post-it notes or bombarding your IT helpdesk with password reset requests - on average, password reset requests take up 31%–40% of all IT helpdesk’s time.
Two-factor authentication is especially important when it comes to protecting enterprise data from cybercrime and fraud. The most important advantage addressed by OTPs is that, in contrast to static passwords, they’re not vulnerable to replay attacks.
Two-factor Authentication (in the form of OTPs), hardens a traditional user ID and static password system by adding another, dynamic credential. Even if your users are using the same (or similar) password for every system, your system is made less vulnerable as it’s unlikely that both layers of security would be compromised by a hacker.
There's also a third available factor, e.g. fingerprints, retina scan, voiceprint, face recognition, etc, that can be used to add another layer of security. It stands to reason that the more factors that are required to authenticate, the more secure your systems will be.
On the downside, strong one-time passwords are difficult for human beings to memorize, therefore, they require additional technology to work. For OTP systems that rely on lock-step or counter synchronisation, OTP password generators must cope with the situation where an electronic token drifts out-of-sync with its server, which leads to additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift).
The cheapest (and best) solutions are those that deliver one-time passwords without the costs associated with proprietary hardware. Simple methods such as manually generated lists or number grids offer low-cost solutions, but they are slow and difficult to maintain. Users are required to carry a list of passwords around and keep track of where they are in the list.
Plus, if the list falls into the wrong hands then someone has all of your passwords. The best solutions, therefore, use an existing device, (e.g. mobile phone) and deliver one-time passwords without the costs associated with SMS messaging (i.e. push notification).
To keep your corporate data safe, you need to know how to generate secure one-time passwords for strong two-factor or multi-factor authentication. You also then need to know how to distribute one-time passwords to clients or employees, so that the system you’ve created isn’t vulnerable to attack.
10Duke offers OTPs and multi-factor authentication as part of our software licensing and customer identity and access management solutions. To keep your applications and end users secure, get in touch or learn more about 10Duke products.
Are you a software developer looking to sell more? Learn more from our guides:
You might also be interested in:
One-time Passwords (OTP) can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.