WebApp Sec mailing list archives
Re: one-time password (OTP) authentication
From: Andrew van der Stock <vanderaj () greebo net>
Date: Sun, 19 Jun 2005 23:23:02 +1000
OTP and other forms of "strong" authentication (time based key fobs, USB tokens, smart cards, certificates, etc) are all subject to MITM attacks as the token can be re-used for another unauthorized transaction within the validity window.
If the user gets a dialog that looks reasonable and says "yep, allow the cert to be used" or "yep, allow the USB token to issue a code", the attacker still has a valid token which they can use if they have the browser wired up or trojaned. Plus they have a user interface which could be copied (think XUL or XAML or the Apple "please type the admin password" dialog).
The only way around this is transaction signing where the user keys in something (say the transaction ID or balance or something) and that changes the OTP output making it relevant to only the application which needs that output.
I like the transaction signing token to be completely separate to the client machine as we can't trust the client machine. Not only is the client machine under the control of a user (who may or may not be our friend), there's spyware and other rubbish on there which compromise the trust base.
Connecting tokens via Irda, USB or bluetooth may seem like a cool idea, but honestly, it reduces the security of the solution in my opinion. Plus anything with local drivers is a support nightmare.
Andrew
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)