A password or one-time pin ( OTP ) is a password that applies only to a single session or login transaction, on a computer system or other digital device. OTPs avoid some of the flaws associated with traditional password-based (static) authentication; a number of implementations also incorporate two-factor authentication by ensuring that a one-time password requires access to something a person owns (such as a small fob keying device with built-in OTP calculator, or smartcard or certain phone) and < i> something someone knows (like a PIN).
The most important advantage handled by OTP is that, in contrast to static passwords, they are not susceptible to replay attacks. This means that potential intruders who successfully record OTP that has been used to log in to the service or make transactions will not be able to abuse it, because it no longer applies. The second major advantage is that users who use the same (or similar) password for multiple systems are not vulnerable to everything, if the password for any of these is obtained by the attacker. A number of OTP systems also aim to ensure that a session can not be easily tapped or imitated without knowledge of the unpredictable data created during the previous session , thereby reducing the surface of further attacks.
OTPs have been discussed as possible replacements for, as well as adders to, traditional passwords. On the downside, OTP is hard to memorize by humans. Therefore, they need additional technology to work.
Video One-time password
How OTP is generated and distributed
OTP generation algorithms typically use pseudorandomness or randomness, making successful OTP predictions by attackers difficult, as well as hash functions, which can be used to obtain values ​​but are difficult to restore and therefore difficult for attackers to get the data used for hashes. This is necessary because otherwise it will be easy to predict future OTPs by observing previous OTP. Concrete OTP algorithms vary greatly in the details. Various approaches to OTP generation are listed below:
- Based on time sync between the authentication server and the client providing the password (OTP is only valid for a short time)
- Using the math algorithm to generate new passwords based on previous passwords (OTP is effectively a chain and should be used in the order specified).
- Using the mathematical algorithm where the new password is based on challenge (for example, random numbers selected by the authentication server or transaction details) and/or counters.
There are also various ways to make the user aware of the next OTP to use. Some systems use a special electronic security token brought by the user and that generates OTP and shows it using a small screen. Another system consists of software that runs on the user's mobile phone. Yet another system generates OTP on the server side and sends it to users using channels outside the band such as SMS messages. Finally, in some systems, OTP is printed on paper that must be carried by the user.
Maps One-time password
Method generates OTP
Time sync
Time synchronized OTP is typically associated with a piece of hardware called a security token (for example, each user is given a personal token that generates a one-time password). It may look like a small calculator or a charm keychain, with an LCD showing an occasional number of changes. Inside token is an accurate clock that has been synchronized with the clock on an exclusive authentication server. In this OTP system, time is an important part of the password algorithm, since the creation of a new password is based on the current time rather than, or in addition, a previous password or a secret key. This token may be a proprietary device, or a mobile device or similar device running proprietary, freeware, or open-source software. A synchronized example of time OTP standard is Time-based Password Algorithm (TOTP).
All deliver OTP methods below can use time synchronization instead of algorithm.
Mathematical algorithm
Any new OTP can be created from the previous OTP used. An example of this type of algorithm, credited to Leslie Lamport, uses a one-way function (say f ). This one-time password system works as follows:
- Seed (initial value) s is selected.
- The hash function f ( s ) is repeatedly applied (eg, 1000 times) to the seed, f ( f ( f ( s )....))). This value, which we will call f 1000 ( s ) is stored on the target system.
- The user's first login uses the p derived password by applying f 999 times to the seed, f 999 ( s ). The target system can authenticate that this is the correct password, because f ( p ) is f 1000 i> s ), which is a stored value. The stored value is then replaced by p and the user is allowed to login.
- The next login, must be accompanied with f 998 ( s ). Again, this can be validated because the hashing gives f 999 ( s ), the value stored after previous login. Again, the new value replaces p and the user is authenticated.
- It can be repeated 997 times, every time the password is f applied one more times, and validated by checking that when it hash, it provides a value stored during the previous login. The hash function is designed to be very difficult to reverse, therefore the attacker needs to know the initial seed s to calculate the possible password, while the computer system can confirm the password on every occasion that applies by checking it, when the hash , it gives the value that was previously used to login. If an unrestricted set of passwords is desired, a new seed value can be selected once the set to s runs out.
To get the next password in the string from the previous password, one needs to find a way to calculate the inverse function f -1 . Since f is chosen to be one-way, this is very difficult to do. If f is a cryptographic hash function, which generally happens, it (as far as is known) the computational task is not feasible. An intruder who happens to see a one-time password may have access to a time period or login, but it becomes useless after that period ends. S/KEY one-time password system and OTP derivatives based on Lamport scheme.
In some mathematical algorithm schemes, it is possible for a user to provide a server with a static key to use as an encryption key, by only sending a one-time password.
The use of a one-time-response password requires users to respond to challenges. For example, this can be done by entering the token-generated value into the token itself. To avoid duplicates, additional counters are usually involved, so if one happens to get the same challenge twice, it still generates a different one-time password. However, calculations usually do not involve a single previous password; that is, usually this or any other algorithm used, rather than using both algorithms.
The token-based OTP delivery method can use one of these algorithm types instead of time synchronization.
OTP delivery method
Phone
The common technology used for OTP submissions is text messaging. Because text messages are ubiquitous communication channels, which are directly available on almost all phones and, via text-to-speech conversion, to mobile or landline, text messages have great potential to reach all consumers at a low total cost of carrying out. However, the cost of sending text messages for each OTP may not be acceptable to some users. OTP via text messages can be encrypted using A5/x standards, which some hacking group reports can successfully decrypt in minutes or seconds. Additionally, security flaws in the SS7 routing protocol can and have been used to redirect text messages related to the attacker; by 2017, some O2 customers in Germany are being violated in this way to gain access to their mobile banking accounts. In July 2016, NIST AS issued a special publication draft with authentication practice guidelines, which prohibit the use of SMS as a method of applying two-factor out-of-band authentication, because of the ability to intercept SMS. on a large scale.
On smartphones, one-time passwords can also be sent directly via the mobile app, including special authentication applications like Authy, Duo, and Google Authenticator, or in existing service apps, as in the case of Steam. The system does not share the same security vulnerabilities as SMS, and there is no need to connect to the mobile network to use, as they are internet based.
Owner Token
EMV started using a challenge-response algorithm (called "Chip Authentication Program") for credit cards in Europe. On the other hand, in access control for computer networks, SecurID from RSA Security is one example of the time synchronization type of the token or HID Global. Like all tokens, this may be lost, damaged, or stolen; in addition there is discomfort because the battery is off, especially for tokens without recharging facilities or with a non-replaceable battery. The patent token variant was proposed by RSA in 2006 and is described as "ubiquitous authentication", where RSA will partner with manufacturers to add SecurID physical chip to devices such as mobile phones.
Recently, it became possible to retrieve the electronic components associated with a common keyfob OTP token and embed it in the credit card form factor. However, the thinness of the card, at a thickness of 0.79 mm to 0.84 mm, prevents standard components or batteries being used. Special polymer-based batteries should be used that have much lower battery life than coin cells (buttons). The semiconductor component should not only be very flat but must minimize the power used in standby state and when operating.
Yubico offers a small USB token with an embedded chip that creates OTP when the button is pressed and simulates the keyboard to make it easy to enter long passwords. Since this is a USB device, it avoids the inconvenience of replacing the battery.
A new version of this technology has been developed that pin the keypad to payment cards of standard size and thickness. This card has a keypad, screen, microprocessor and embedded proximity chip.
Web-based methods
Authentication as a service provider offers a variety of web-based methods for sending a password once without needing a token. One such method relies on a user's ability to recognize selected categories of randomly generated grid images. When first registering on the website, the user selects several secret categories; such as dogs, cars, boats and flowers. Each time a user logs in to their website it is presented with a randomly poppedphanumeric character splayed over it. Users search for images that match their previously selected categories and enter corresponding alphanumeric characters to form a one-time access code.
Hardcopy
In some online banking banks, banks send to users a list of OTP numbers printed on paper. Another bank sends a plastic card with an actual OTP that is obscured by a layer that should be scratched by the user to reveal numbered OTP. For each online transaction, the user is requested to enter a specific OTP from that list. Some systems request OTP numbers in sequence, others randomly select OTP to be entered. In Germany and many other countries such as Austria and Brazil, OTP is usually called TAN (for 'transaction authentication number'). Some banks even send such TANs to users' mobile phones via SMS, in which case they are called mTAN (for 'mobile TANS').
Technology comparison
Comparison of OTP implementation
The cheapest OTP solution is a solution that delivers OTP on paper, and which generates OTP on existing devices, with no costs associated with (re) issuing electronic security tokens and SMS messages.
For systems that rely on electronic tokens, an algorithm-based OTP generator must address situations where the floating token is out of sync with the server if the system requires OTP to be entered with a deadline. This leads to additional development costs. Time synchronized systems, on the other hand, avoid this at the expense of keeping watches in electronic tokens (and offset values ​​for drift hour accounts). Whether or not OTP synchronized time is essentially irrelevant for the level of vulnerability, but there is no need to reenter the password if the server expects the last or next code that the token should have because the server and token have been out of sync.
The use of existing mobile devices avoids the need to obtain and bring in additional OTP generators. Rechargeable battery; in 2011 most small card devices do not have rechargeable or replaceable batteries. However, most exclusive tokens have a tamper-proof feature.
OTP versus other methods to secure data
Passwords are once vulnerable to social engineering attacks where phishers steal OTP by tricking customers into providing one or more OTPs they have used in the past. At the end of 2005, Swedish bank customers were deceived into submitting their one-time password. In 2006 this type of attack was used on US bank customers. Even synced-time OTP is vulnerable to phishing, with two methods: Passwords can be used quickly by an attacker as a legitimate user, if an attacker can get OTP in plaintext quickly enough. Another type of attack - which can be overridden by an OTP system that implements a hash chain as discussed above - is for phishers using the information obtained ( passing OTP codes that are no longer valid) by this social engineering method for predict which OTP code to use in the future . For example, OTP generator generators are pseudo-random rather than completely random or may not be compromised, since pseudo-random numbers can often be predicted after someone has an OTP past code. OTP systems can only use OTPs that are completely random if OTP is generated by the authenticator and transmitted (possibly out-of-band) to the user; if not, OTP should be generated independently by each side, so it needs a repeatable algorithm, and therefore only pseudo-random.
Although OTP is in some ways safer than statically memorized passwords, OTP system users are still vulnerable to man-in-the-middle attacks. Therefore OTP should not be disclosed to any third party, and using OTP as a layer in layered security is safer than using OTP only; one way to implement layered security is to use OTP in combination with a password that is stored by the user (and never transmitted to the user, since OTP often). The advantage of using layered security is that a single login system combined with one master password or password manager becomes more secure than using only one layer of security during login, and thus the inconvenience of password exhaustion is avoided if it is usually a long session with many words passwords that need to be entered in mid-session (to open different documents, websites, and apps); however, the disadvantages of using multiple forms of security once at a time is that someone has more inconvenience security precautions during every login - even if someone logged in for a brief use of a computer to access information or apps that did not require the security of a few other secret items that computers use. See also related Technology, below.
Related technology
More often than not, a one-time password is a manifestation of two-factor authentication (2FA or T-FA). 2FA is a layered security form where it is unlikely that both layers will be compromised by someone who uses only one type of attack.
Some single sign-on solutions utilize a one-time password.
One-time password technology is often used with security tokens.
Standardization
Many patented OTP technologies. This makes standardization in this area more difficult, as every company tries to push its own technology. Standards, however, exist - for example, RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP) and RFC 6238 (TOTP).
See also
- Google Authenticator
- FreeOTP
- Initiative For Open Authentication (OATH)
- KYPS (OTP system based on one bandage)
- One time pad (OTP)
- OTPW
- S/KEY
- Security Token
- Two-factor authentication
References
Source of the article : Wikipedia
0 Comments