Wednesday, August 28, 2013

Basics - One Time Passwords and Two Factor Authentication

Two-factor authentication requires the use of two of the following three authentication factors.

  • Something the user knows (e.g., password, PIN, pattern);
  • Something the user has (e.g., ATM card, smart card, mobile phone); and
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

A clear explanation can be found on wikipedia:  http://en.wikipedia.org/wiki/Two-factor_authentication


The most popular and easiest way of implementing second factor in authentication is the use of OTP (one time passwords).

A one-time password (OTP) is a password that is valid for only one login session or transaction.
The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks.

There are also different ways to make the user aware of the next OTP to use.

  • Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display. 
  • Other systems consist of software that runs on the user's mobile phone (mobile apps)
  • Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging.


There are also well-known algos in this area such as HOTP = HMAC based OTP and TOTP = Time based OTP.

Some things to note:

  • Use of hardware token genenators is more expensive
  • Use of SMS channel requires the server sides to have capability to send SMS through reliable SMS gateways which may be paid options
  • Use of mobile apps, often requires internet connectivity to the server

To further clarify the OTP options, I am providing a few self explanatory slides below:


--------------------xxx----------------------


-------------------xxx----------------------





Finally, there are several open source and paid providers of two factor auth and OTP solutions.Most of these require a custom authentication server as backend.

M-PIN          - http://www.certivox.com/m-pin/

and many more...


Also you can develop, a custom implementation using standard algorithms like HMAC for OTP

cheers!

2 comments:

Jimmy Jarred said...

Which of these is more powerful ? I like to know more about two factor authentication scheme. I will visit the link suggested above. Thank you.
electronic signatures

john mike said...

CloudAce high quality Two-Factor Authentication solutions safeguard your network from malicious attempts and provide extra protection for company’s most sensitive information.
Two-Factor Authentication solutions