Ask the Expert

How to securely distribute one-time password tokens

What is the most secure way to handle distribution of one-time password (OTP) tokens in an organization?

    Requires Free Membership to View

While issuing one-time password (OTP) tokens to your employees so they can access your systems does add an extra layer of protection, if those tokens aren't distributed properly, they can leave your systems open to an attack.

The biggest danger is either via unauthorized access by an employee, or worse, internal fraud. An unattended token can grant inappropriate access to someone else's account. And while the thief would still need the user's ID and password, they could easily obtain those.

The best way to prevent malicious token use is to educate employees on how to use them securely. Employees should be taught safe password practices, such as not writing them down and posting them by their desk. Employees should lock up their tokens or carry them when not in use. They should also lock their monitors when they get up from their desk, even if it is simply to get a cup of coffee or use the bathroom.

Distribute tokens from a central location or warehouse where they can be inventoried. Keep a record of all tokens received, as well as their serial numbers and apiece count. To verify that the right user received the right token, implement a policy that requires users to send inactive tokens to the help desk or to an online registration system to be activated. That way the help desk or online system can verify the user, ask for the token serial number and match it with the serial number of the sent token. Please keep in mind that the system you choose should depend on the size of your organization. For example, if you work for a large company, it's not a good idea to deluge the help desk with calls to activate tokens.

An alternate system can involve sending a new user an activation code by e-mail. Again, keep in mind that if you use this system only the activation code should be sent to the user. This will prevent theft of the token and its credentials. To activate the token, the code can be entered online at a predetermined registration site.

This was first published in February 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: