One-time password (OTP) tokens are known as two-factor authentication. They're meant to augment existing user IDs and passwords with an extra layer of authentication. The idea is that if a password is compromised, the OTP device would still have to be broken as well to gain system access.
OTP tokens are usually small pocket-size fobs with a small screen that displays a number. The number changes every 30 or 60 seconds, depending on how the token is configured. The user then enters his or her user ID and PIN number, plus the number displayed on the token in the password field for access to the system.
The choice of a password token should be based on the company's needs. Why do you need tokens, and who will be using them? Are they for employees to access internal systems, or for customers to access externally facing systems, like websites? Are they for compliance with regulations or for beefing up existing authentication to systems hosting high-risk data?
Those questions aside, the choice of password tokens should be based on how well they mesh with existing network and authentication architecture and their ease-of-use and acceptance by employees. Other considerations are maintenance, support and scalability -- how easy are they to support and will they grow as authentication needs expand?
First, OTP tokens should be compatible with existing authentication infrastructure. They should be managed from a central location so users can be provisioned or deleted as required, at will. Authentication credentials from the device should be able to be stored easily in the current directory service, whether Active Directory or LDAP.
Second, the device should be easy for employees or customers to use. If it's difficult, or employees aren't given proper training, they'll figure out ways around the device, which defeats its purpose. Also, as with user IDs and passwords, tokens should never be shared.
Lastly, tokens should be easy for system administrators to install, deploy and maintain. A token-based system should be scalable to handle additional users as a network grows, and the devices should be configurable because the length of the number, or the time it's displayed on the screen, may need to be shorter or longer, based on the business and security requirements. Tokens also need to be purchased, stored and distributed, adding to the cost of maintenance and overhead.
There are a lot of vendors in this space, including EMC Corp.'s RSA division, Aladdin Knowledge Systems Inc., Entrust Inc., VASCO Data Security International, ActivIdentity Inc., and VeriSign Inc. They offer a range of token types from small key chain fobs to mini-calculators.
This was first published in September 2008