WebApp Sec mailing list archives
Re: one-time password (OTP) authentication
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Mon, 20 Jun 2005 09:41:11 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of the suggestions that has been talked about for using a public, unsecured terminal may also be feasible in certain circumstances. 1) User sends authentication request 2) Server text message's the user's phone with a one-time-use code 3) User finalizes the authentication by entering the one-time-use code The user's password could always be the same and you could avoid complicated algorithms that require reliance on a one-way hash that may or may not be broken in the near future (SHA-1 anyone?). The drawback is that the user must have a cell phone with text messaging and the user must wait a few minutes before authenticating. For off-site corporate access this is a good idea. For portal services such as provided by Yahoo! this is a bad idea because it drives users away. - -Joseph Miller On Sunday 19 June 2005 12:15 am, james wrote:
Two-factor authentication (authenticating user with something they know AND something they possess) is becoming more and more popular due to increasing security requirements and the prevalence of spyware software. However, in open source projects, solutions such as RSA securID, smartcards, etc. are not always feasible because of funding, licensing, or other constraints. Here is a complete, standards-based, open source, no-hardware solution. Here is a PHP implementation for generating, challenging, and authenticating one-time passwords according to RFC 2289. (go to http://www.dcphp.com/Developers/files/otp_pub.zip to download) Below are two scenarious for OTP use. Scenario A: Users across an organization need access to corporate resources at home, on the road, in airplanes, etc. Users are many (>1000) and geographically distributed. A user applies for access and is approved. The administrator prints off a list of one-time passwords and delivers a hard-copy via physical medium (fax, phone, snail-mail, person-to-person handoff). Scenario B: Users self-register for a commercial (or other) website. Once successfully registered, the user is given the option to generate a list of one-time passwords and use them for authentication in addition to their username/password (of course, user can ignore OTP from certain trusted computers, such as the one they registered from, if they trust it). The user can generate new OTP's at any time once authenticated. When the user logs in, they use their username,password, and a one-time-password (which one depends on which one they are prompted for by the server). The OTP expires immediately upon authentication. Now, if a hacker intercepts all three tokens, they are still unable to perform a replay attack because the third token is already invalidated. Their is a race condition if they are watching real-time, but this can be accounted for via transaction locking in the session handling code. -- the brown cow --
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCtsd5mXZROF+EADURAoNVAJ0fAxAAykoEeHYxBhrvJsU73Osi3QCfS06t 38le3qLyAr38wl27nqtV2yU= =kxtp -----END PGP SIGNATURE-----
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)