One Time Password: A Specific Security Measure for Specific Situations
Nowadays, most people are required to have numerous online accounts and thus need to remember dozens of different passwords for each of them. Having to remember all of these unique passwords can sometimes give us headaches.
Moreover, if you are running a business, employees from your company’s financial department are frequently required to handle financial transactions or bank transfers on the internet on a daily basis, so there is consequently a chance for their passwords to be cracked and then misused.
Luckily, with the help of one time passwords (OTP for short) these unfortunate scenarios can be prevented. If you think your business is in need of more security, let’s concentrate on understanding what OTPs represent, how they are beneficial for you and if there are any risks associated with them.
What is a One Time Password?
One Time Passwords are passwords that are generated for a limited time only, on devices like USBs with LCD screens or cellphones. The user is required to enter the password into the system where they wish to be authenticated. The system will then confirm that password with an authentication server that generates the same password.
If these two passwords match, you will gain access to the system. If that OTP later gets stolen or is re-entered by a different person, the authentication fails since the password changes after some time, usually after one minute.
One Time Password is usually accompanied by another set of authentication, most often the person using it will be asked to type in their password credentials, or the user-name that is based on their corporate directory, before they can proceed authenticating with their OTP.
Alternatively the user can be asked to authenticate with a PIN number, which is given to him earlier, before creating the OTP. Beside that, the OTP hardware token can be authorized by the system via USB drive prior to accepting the identification/password.
Another option is to generate the OTP and send it to the user`s cell phone via SMS. He would then need to read the message from his mobile phone and type the OTP into the system. Clearly there is a multitude of different options when it comes to strengthening authorization with the usage of One Time Passwords.
Different ways of generating an OTP
- Hardware-based OTP tokens are hardware token devices like USBs or smart cards with LCD screens that enable users to see the OTP when generated. Some of these devices even have keys, for example numbers from 0 to 9, for users to type in their PIN numbers before generating the OTP.
Some of the devices can possess a digital certificate which can be verified via computer with a USB interface. The biggest advantage of hardware-based tokens is that the users must have them physically with themselves whenever they’re trying to access corporate systems, which offers a more secure authentication.
Such tokens are small in size and portable, so you can carry them everywhere. However, users should be aware that maintaining these tokens involves some costs, and additional costs can occur when replacing lost or damaged tokens. Sometimes it can even be mandatory to replace them after a certain period of time.
Beside using software-based token devices, vendors can utilize cell phones carried by users to create the One Time Password. There are two ways to do this. Either through an application already installed on the mobile device or the One Time Password can be sent to the user`s cellphone as an SMS, which can be utilized at a later time to authenticate a specific corporate application.
Another benefit of using mobile-based OTP tokens is that you can save money that you would otherwise have to invest in the hardware token devices, since most employees have a mobile phone. Having said this, the cost for license still applies to every user.
You can employ OTP tokens on a much larger scale to authenticate customers as well, the only downside is that the software itself is not compatible with all existing mobile operating systems and you still waste money on sending messages via SMS.
Other ways to utilize One Time Passwords include: digital certificates, browser-based software authorization on a PC, email authorization, PKI-based authentication etc.
Authentication Servers / OTP Management Applications:
Wherever there are OTP tokens, there must also exist a principal authority which will check the One Time Passwords created by the tokens. This is usually achieved with the help of authentication servers that can either be hardware controller devices or software applications. PIN numbers typed in by users on the OTP devices are also checked by these authentication servers before they are given clearance to create a One Time Password.
In most cases, One Time Passwords are determined by the authentication servers based on time or a mathematical algorithm. These authentication servers are implemented in corporate directories like LDAP/AD and they also provide an interface for web-based management for easier input.
Some of the vendors also provide extra applications that make managing and administering One Time Passwords much easier. Let’s say that someone forgot their OTP Token device at their house – they could go to the web-based management application provided by the OTP vendor to ask for One Time Passwords to be sent directly to their cellphone via SMS or to their email address, just for that one occasion.
These kinds of applications can also serve to reset and give another PIN number online in case the PIN number is lost by the user. Even if the OTP tokens are damaged or lost, they can still be reported using this application so that they can later be replaced by the administrators.
In conclusion, if you want to achieve the maximum security of your most valuable data and keep your business safe, One Time Passwords are the most recommendable way to do it!