RE: one-time password (OTP) authentication

[maburns () safenet-inc com]

With two factor authentication the "something they have is a physical
device" therefore it must be present to log on and only the original owner
would have the physical device, in this case the USB token.

-----Original Message-----
From: james [mailto:james () tlhenterprises net]
Sent: Monday, June 20, 2005 4:58 PM
To: james () tlhenterprises net; webappsec () securityfocus com;
maburns () safenet-inc com
Subject: RE: one-time password (OTP) authentication


The list is the something they have, *not* the something they know.  In
addition to using it to authenticate they also must have their regular
username/password that should not be written down anywhere.




---------- Original Message ----------------------------------
From: maburns () safenet-inc com
Date:  Mon, 20 Jun 2005 13:21:14 -0700

> Regardless of saving the money on a two factor USB token that range 
> from for
> $29-$55 I think this approach mentioned is so insecure..." The 
> administrator prints off a list of one-time passwords and delivers a 
> hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff)"
> The power of two-factor authentication is that Nothing is written down 
> which is part of the reason passwords are so insecure
>
> Two-factor authentication is   1) "something physical only the user has" -
> like an USB Key which is the same as a ATM card and 2) a "pin # that 
> only user knows" . This is not difficult to implement there are SDK's 
> available and users trust their ATM cards so making the jump to a USB 
> token would not be too difficult
>
> Mary Ann
>
> -----Original Message-----
> From: james [mailto:james () tlhenterprises net]
> Sent: Saturday, June 18, 2005 9:16 PM
> To: webappsec () securityfocus com
> Subject: one-time password (OTP) authentication
>
> Two-factor authentication (authenticating user with something they know 
> AND something they possess) is becoming more and more popular due to 
> increasing security requirements and the prevalence of spyware 
> software.  However, in open source projects, solutions such as RSA 
> securID, smartcards, etc. are not always feasible because of funding,
licensing, or other constraints.
> Here is a complete, standards-based, open source, no-hardware solution.
> Here is a PHP implementation for generating, challenging, and 
> authenticating one-time passwords according to RFC 2289.  (go to 
> http://www.dcphp.com/Developers/files/otp_pub.zip
> to download)  Below are two scenarious for OTP use. 
>
> Scenario A: 
> Users across an organization need access to corporate resources at 
> home, on the road, in airplanes, etc.  Users are many (>1000) and 
> geographically distributed.  A user applies for access and is approved.  
> The administrator prints off a list of one-time passwords and delivers 
> a hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff).
> Scenario B: 
> Users self-register for a commercial (or other) website.  Once 
> successfully registered, the user is given the option to generate a 
> list of one-time passwords and use them for authentication in addition 
> to their username/password (of course, user can ignore OTP from certain 
> trusted computers, such as the one they registered from, if they trust 
> it).  The user can generate new OTP's at any time once authenticated.
>
>
>
> When the user logs in, they use their username,password, and a 
> one-time-password (which one depends on which one they are prompted for 
> by the server).  The OTP expires immediately upon authentication.  Now, 
> if a hacker intercepts all three tokens, they are still unable to 
> perform a replay attack because the third token is already invalidated.  
> Their is a race condition if they are watching real-time, but this can 
> be accounted for via transaction locking in the session handling code.
>
>
> --
> the brown cow
> --