Re: one-time password (OTP) authentication

[Joseph Miller <joseph () tidetamerboatlifts com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One of the suggestions that has been talked about for using a public, 
unsecured terminal may also be feasible in certain circumstances.

1) User sends authentication request
2) Server text message's the user's phone with a one-time-use code
3) User finalizes the authentication by entering the one-time-use code

The user's password could always be the same and you could avoid complicated 
algorithms that require reliance on a one-way hash that may or may not be 
broken in the near future (SHA-1 anyone?).  The drawback is that the user 
must have a cell phone with text messaging and the user must wait a few 
minutes before authenticating.  For off-site corporate access this is a good 
idea.  For portal services such as provided by Yahoo! this is a bad idea 
because it drives users away.

- -Joseph Miller

On Sunday 19 June 2005 12:15 am, james wrote:
> Two-factor authentication (authenticating user with something they know AND
> something they possess) is becoming more and more popular due to increasing
> security requirements and the prevalence of spyware software.  However, in
> open source projects, solutions such as RSA securID, smartcards, etc. are
> not always feasible because of funding, licensing, or other constraints. 
> Here is a complete, standards-based, open source, no-hardware solution. 
> Here is a PHP implementation for generating, challenging, and
> authenticating one-time passwords according to RFC 2289.  (go to
> http://www.dcphp.com/Developers/files/otp_pub.zip to download)  Below are
> two scenarious for OTP use.
>
> Scenario A:
> Users across an organization need access to corporate resources at home, on
> the road, in airplanes, etc.  Users are many (>1000) and geographically
> distributed.  A user applies for access and is approved.  The administrator
> prints off a list of one-time passwords and delivers a hard-copy via
> physical medium (fax, phone, snail-mail, person-to-person handoff).
>
> Scenario B:
> Users self-register for a commercial (or other) website.  Once successfully
> registered, the user is given the option to generate a list of one-time
> passwords and use them for authentication in addition to their
> username/password (of course, user can ignore OTP from certain trusted
> computers, such as the one they registered from, if they trust it).  The
> user can generate new OTP's at any time once authenticated.
>
>
>
> When the user logs in, they use their username,password, and a
> one-time-password (which one depends on which one they are prompted for by
> the server).  The OTP expires immediately upon authentication.  Now, if a
> hacker intercepts all three tokens, they are still unable to perform a
> replay attack because the third token is already invalidated.  Their is a
> race condition if they are watching real-time, but this can be accounted
> for via transaction locking in the session handling code.
>
>
> --
> the brown cow
> --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCtsd5mXZROF+EADURAoNVAJ0fAxAAykoEeHYxBhrvJsU73Osi3QCfS06t
38le3qLyAr38wl27nqtV2yU=
=kxtp
-----END PGP SIGNATURE-----