Network Security

You can use OTP – One Time Password for stronger authentication

If your finance department personnel do quite a number of bank transfers/ financial transactions over the Internet (web portal) everyday, there is a chance that their user-names/passwords can be stolen and misused. So authenticating users with just their user-names and passwords are not secure enough, at least for such critical functions. With a One Time Password (OTP) system, you can authenticate users using passwords that keep changing (say every 90 seconds).

Why are One Time Passwords required?

Normally, application/ network access is given to people after they authenticate with their user-name and password. But since most of the applications are accessible over the Internet these days, this method of authentication may not be secure enough, as the user-name and password can stolen/ guessed by a hacker and network administrators would come to know of it, only after some damage happens. To  introduce stronger authentication for critical applications/ transactions/ network access, especially from a remote location for employees/ partners/ vendors, One Time Passwords (OTP) are required.

What is a One Time Password (OTP)?

A One Time Password (OTP) is a temporarily generated password using a small device (like a USB drive, with an LCD screen) when a user presses a key in it (or) using a mobile phone/ through SMS. The user needs to enter that password in to the system (computer application) where he wants to get authenticated. The system then checks with an authentication server, which also generates the same password. If both the passwords match, the user is given access to the system. If that One Time Password is somehow stolen/ re-entered by someone else later on, the authentication would fail as the password keeps changing after a specific time interval (every minute, or so).

One Time Password is generally complemented by another layer of authentication. The user can be requested to authenticate with his corporate directory based user-name/password credentials (AD/ LDAP), before authenticating with the OTP. Or, he can be requested to press a PIN Number (given to him earlier) before generating the OTP. Or, the OTP hardware token can itself be authenticated by the system (using digital certificates) through a USB drive, before accepting the password. Or, the OTP can be generated and sent to the user’s mobile number as an SMS, and he needs to open the message in his cell phone and enter the OTP in to the system after reading it from there. So, as you can see, there are multiple ways of providing stronger authentication using OTP – One Time Passwords.

Types of generating an OTP – One Time Password:

Hardware based OTP Tokens: These are essentially (USB like or smart card like) hardware token devices with a small LCD screen on them so that the users can see the One TIme Password (OTP) when it is generated. Some of them even have a few keys on them (Like 0-9) in order to allow a user to type a PIN number before generating the One Time Password. Some of them can hold a digital certificate, and the same can be verified by a computer using a USB interface. There maybe many more such ‘forms’ of the OTP hardware tokens, but they are essentially used to generate an OTP, when ever and where ever required.

The main advantage of a hardware token is the fact that users need to physically have it, where ever they are trying to get access to corporate systems and hence it is a more secure way of authenticating remote users/ partners and even vendors. Since these tokens are very small, they can be carried anywhere. The limitation is the cost/ time involved in procuring and maintaining these hardware tokens. Additional cost is involved to replace damaged/ lost tokens and some vendors even make it mandatory to change all the tokens after a few years.

Mobile based OTP Tokens: As an alternative to the software based token devices, vendors make use of the mobile phones carried by employees/ partners etc, to generate the One Time Password. This can be either done by a software application already loaded in a mobile (or) the OTP can be sent to the mobile as an SMS (when the user clicks on a web-page, for example), which can later be used in the system for authentication with a particular corporate application.

As mobile phones are available with almost all the employees, the investment on the hardware token device can be avoided using this solution. But the license costs still apply to every user. Mobile OTP solutions can be employed on a large scale to authenticate consumers as well (For example, certain websites send one time passwords to the mobile phone which can be then used to gain temporary access to the website until the user changes the password later-on). The disadvantages include incompatibility of software for certain mobile operating systems and the cost of sending messages using SMS.

There are other forms of One Time Password Authentication methods like Email Authentication, Browser based Software authentication on a Computer, PKI based authentication, Digital Certificates, etc.

Authentication Servers/ OTP Management Applications:

When there are OTP tokens, there should be some central authority to check the One Time Passwords generated by these tokens as well. This job is done by the Authentication Servers (which can either be in the form of software applications or hardware controller devices).These authentication servers also verify if the PIN numbers entered by the users on the OTP devices are correct, before allowing them to generate the One Time Passwords, in certain cases.

Generally the One Time Passwords are calculated by the Authentication Servers based on Time (which is synchronized with the OTP Tokens as well so that they too use the same time value to arrive at the same One Time Passwords) or Some Mathematical Algorithms (which are calculated from the previous One Time Password value, for example). These Authentication Servers integrate with corporate directories like LDAP/ AD and come with web-based management interface for easier administration.

Some vendors offer additional applications which makes the management/ administration of One Time Passwords easier. For example, if some user has forgotten his OTP Token device at home, they can go to the web based management application offered by the OTP vendor to request One Time Passwords to their email address/ SMS on mobile phone, just for that one day. These applications can also be used to reset and provide a new PIN number on-line, if the same is lost by an employee. Even the lost/ damaged OTP tokens can be reported through this application which can then be replaced by the administrators.

You could stay up to date on the various computer networking and related technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’