WebApp Sec mailing list archives
RE: one-time password (OTP) authentication
From: maburns () safenet-inc com
Date: Mon, 20 Jun 2005 17:19:08 -0700
With two factor authentication the "something they have is a physical device" therefore it must be present to log on and only the original owner would have the physical device, in this case the USB token. -----Original Message----- From: james [mailto:james () tlhenterprises net] Sent: Monday, June 20, 2005 4:58 PM To: james () tlhenterprises net; webappsec () securityfocus com; maburns () safenet-inc com Subject: RE: one-time password (OTP) authentication The list is the something they have, *not* the something they know. In addition to using it to authenticate they also must have their regular username/password that should not be written down anywhere. ---------- Original Message ---------------------------------- From: maburns () safenet-inc com Date: Mon, 20 Jun 2005 13:21:14 -0700
Regardless of saving the money on a two factor USB token that range from for $29-$55 I think this approach mentioned is so insecure..." The administrator prints off a list of one-time passwords and delivers a hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff)"
The power of two-factor authentication is that Nothing is written down which is part of the reason passwords are so insecure Two-factor authentication is 1) "something physical only the user has" - like an USB Key which is the same as a ATM card and 2) a "pin # that only user knows" . This is not difficult to implement there are SDK's available and users trust their ATM cards so making the jump to a USB token would not be too difficult Mary Ann -----Original Message----- From: james [mailto:james () tlhenterprises net] Sent: Saturday, June 18, 2005 9:16 PM To: webappsec () securityfocus com Subject: one-time password (OTP) authentication Two-factor authentication (authenticating user with something they know AND something they possess) is becoming more and more popular due to increasing security requirements and the prevalence of spyware software. However, in open source projects, solutions such as RSA securID, smartcards, etc. are not always feasible because of funding,
licensing, or other constraints.
Here is a complete, standards-based, open source, no-hardware solution. Here is a PHP implementation for generating, challenging, and authenticating one-time passwords according to RFC 2289. (go to http://www.dcphp.com/Developers/files/otp_pub.zip to download) Below are two scenarious for OTP use. Scenario A: Users across an organization need access to corporate resources at home, on the road, in airplanes, etc. Users are many (>1000) and geographically distributed. A user applies for access and is approved. The administrator prints off a list of one-time passwords and delivers a hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff).
Scenario B: Users self-register for a commercial (or other) website. Once successfully registered, the user is given the option to generate a list of one-time passwords and use them for authentication in addition to their username/password (of course, user can ignore OTP from certain trusted computers, such as the one they registered from, if they trust it). The user can generate new OTP's at any time once authenticated. When the user logs in, they use their username,password, and a one-time-password (which one depends on which one they are prompted for by the server). The OTP expires immediately upon authentication. Now, if a hacker intercepts all three tokens, they are still unable to perform a replay attack because the third token is already invalidated. Their is a race condition if they are watching real-time, but this can be accounted for via transaction locking in the session handling code. -- the brown cow --
Current thread:
- one-time password (OTP) authentication james (Jun 18)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- Re: one-time password (OTP) authentication Andrew van der Stock (Jun 19)
- Re: one-time password (OTP) authentication Joseph Miller (Jun 20)
- <Possible follow-ups>
- RE: one-time password (OTP) authentication Cyrill Osterwalder (Jun 20)
- RE: one-time password (OTP) authentication maburns (Jun 20)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 21)
- Re: one-time password (OTP) authentication Achim Hoffmann (Jun 21)
- Re: one-time password (OTP) authentication Devdas Bhagat (Jun 21)
- RE: one-time password (OTP) authentication Lyal Collins (Jun 19)
- RE: one-time password (OTP) authentication maburns (Jun 20)