One-Time PasswordsBy Anthony McDougle and Loren Klingman
The average user does not have secure passwords◦ Simple passwords◦ Reusing the same password◦ Never changing their password
Can add security when used as an additional level of authentication
Why Use One-Time Passwords?
A new password is generated at each use The password expires after one use and
cannot be used again◦ Cannot be re-used by an interceptor
What Are One-Time Passwords?
Facebook◦ Optional method of logging into public PCs◦ Generated password is delivered via text message
Google◦ Multi-factor authentication, using standard
passwords & a one-time password in order to log in
Among many others!
Who Uses One-Time Passwords
Time-Generated on Server & Client◦ Requires Synchronization
“Seeded” Algorithm◦ One-way hash function
Passwords generated and sent to the user
How It Works
Mobile Phone App Token-Generating Device Text Message or E-mail
◦ Cheapest, but least secure Printed on Paper & Given to User
Password Distribution
When a system uses multiple levels and methods of authentication
Categories of authentication◦ Something you are (biometrics)◦ Something you have (phone, computer)◦ Something you know (standard password)
Can be as simple as having a standard password and a generated one-time password for log ins
Multi-Factor Authentication
Passwords cannot be stolen by traffic-sniffers and key loggers
Passwords cannot be cracked by traditional methods
Not very susceptible to phishing attempts/non-secure users
Passwords are, in theory, not re-usable◦ Stolen passwords are useless
Benefits
Theft of the password-generator or a list of valid passwords is still a possibility
Cracking the password-generation algorithm In cases of SMS/e-mail/other messaging, the
service provider in the middle must prevent interception
Malware that can trick a user into giving up a password before its use
Vulnerabilities
One-time passwords are generally safer than regular passwords
May be too much◦ Too many prompts can frustrate users
Cost money to implement but often cheaper than other methods such as biometrics
Other Pros & Cons
One-time passwords are a much safer alternative◦ Thwart key loggers, traffic sniffers, phishers
One-time password still have vulnerabilities, though they are harder to crack
Deciding on the password system depends on the company and the security measures necessary◦ Different systems may be more cost-effective
depending on the need◦ Find a balance between cost, simplicity, and security
Conclusion