“One time passwords” are not passwords

print
We did a bit of research into what IT start-up companies need in terms of security. I did expect that secure authentication / logons would be at the top but I was surprised that OTP (one time passwords) were at the bottom.

tumblr_inline_nuaqujon1g1tc653u_540

What I don’t know is whether it is still viewed as overkill or people just don’t know what it is. Some conversations I’m having suggest that not many people know what one time password is. On balance, it is not that surprising when I step out of my geek “box”.

We all know passwords. I create an account (let’s say for an internet email), choose a password and I will most likely use that password for ever. The internet email server will scramble the password with a fast but one-way only function.

tumblr_inline_nuauxwNpiC1tc653u_540

Next time I try to login, my internet email scrambles what I type in and compares it with its database. If the result is the same that means that what I typed is a correct password. The important things are:

  1. I always type the same password – once compromised, forever compromised;
  2. the server stores scrambled password – one has to guess the right one by scrambling guesses, but it can be done fast if the scrambled value is known.

One-time password

One-time password is not really a password. It is a short number (6 to 8 digits) that is computed from a secret (something like a password) shared between the internet email server and my smart phone I use to generate one time passwords. The red number on the picture below does not change and is stored forever.

tumblr_inline_nuavdyzqeW1tc653u_540

If I want to login, I get my smartphone to compute this a one-time password. Once it reaches the internet email, the server will do exactly the same computation and compares the result.

Part of this process is actual time or an ever-increasing number – that ensures that the one-time password I type in next time is unpredictable.

The important things here are:

  1. I type different code to my computer each time I want to login.
  2. the server stores a key that can compute all my one-time passwords any time in the future.

What is the difference then

From your point of view, i.e., a user of the internet email account, the difference is that need my smart phone to log in and enter an additional code (one-time password) when logging in.

Quite some hassle, so there must be a reward. The reward is that if someone compromises the network or the laptop I use to read my emails, they will not be able to get to my email account later. What a clever attacker can do:

  1. login to my email account at the same time as I do; or
  2. get the long red number from the picture above and then login to my email account whenever he/she wants.

One-time passwords will not prevent headlines about yet another leaked password database. OTP servers are still vulnerable to being hacked and its database extracted, sold and exploited.

 

Published by

Dan Cvrcek

Founder and CEO of Enigma Bridge, engineer, entrepreneur, cryptography SME, security architect, and professor.