For the most part, these are very reliable authentication tools. They can be the second factor in a two-factor authentication system, which means they provide an extra layer of protection over a single-factor authentication system.
Two-factor authentication, as the name suggests, uses two factors to authenticate a user. A factor can be any one of the following three: something you know, as in a user ID and password, something you have, such as a OTP or smart card, or something you are, which is a personal characteristic like your fingerprint or voice recording. The idea being that combining two factors makes it more difficult for a malicious user to crack your system. If an attacker breaks one authentication factor, they're only halfway there and still have to crack the second factor to break into your system.
An OTP augments a user ID and password system by providing an extra dynamic password, so to speak. User IDs and passwords are static. If they remain unchanged, a hacker can steal them and use them at any time. Therefore, the user or administrator has to change them frequently. An OTP, on the other hand, changes every 30 to 60 seconds. The attacker would have to use a script that could quickly guess the right number among the millions of possible numbers displayed on the device to break into the system.
The network server has proprietary software from the OTP token manufacturer, like RSA and Vasco, that synchronizes the token with the server.
There is some debate within the information security community about the reliability of OTP tokens for authentication. Critics claim a hacker can defeat the device with a man-in-the middle (MITM) attack, which is when a hacker intercepts the token value in real time, along with the user ID and password. The However, again this attacker would have to act fast and use the OTP value within the short timeframe -- between 30 and 60 seconds. Despite this possibility, OTP tokens are still widely regarded as reliable for two-factor authentication.
For More Information:
This was first published in June 2006