One-time password tokens: Best practices for two-factor authentication

OTP tokens generate new PIN numbers every 30 to 60 s...

BROWSE BY TAG Compliance Counselor,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

RELATED CONTENT Compliance Counselor The future of PCI DSS encryption requirements? Tokenization for PCI Security compliance predictions for 2010: New regulations, new technology Compliance strategy: How to become an internal IT auditor GRC customers point to better efficiency, convergence and consistency Benefits of ISO 27001 and ISO 27002 certification for your enterprise Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders Security Token and Smart Card Technology The pros and cons of implementing smart cards First Data, RSA push tokenization for payment processing How to log in to multiple servers with federated single sign-on (SSO) Best Authentication Products Are 'strong authentication' methods strong enough for compliance? Risk management must include physical-logical security convergence RSA researcher Ari Juels: RFID tags may be easily hacked Portable security storage device could replace OTP devices Can you combine RFID tag technology with GPS to track stolen goods? Security token and smart card authentication Email and Messaging Threats (spam, phishing, instant messaging) Chinese hacker attacks target Google Gmail accounts, top tech firms PDF attack code complicates security analysis, skirts detection Panda warns of American Express phishing scam Active PDF attacks target Reader, Acrobat zero-day vulnerability Yahoo login credentials at risk to hijacking attack The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

econds and can be used in addition to static user IDs and passwords to log on to a Web site. The idea is that if the static credentials are stolen, say, in a phishing attack, the malicious user would still have to guess the PIN to gain access. But since the time window is short to guess the PIN, it would be nearly impossible to break in.

MITM attacks and one-time passwords
Information security professionals have known for a while that OTP tokens are susceptible to man-in-the-middle (MITM) attacks. So the Citibank attack was no surprise. It was a real-time phishing attack, which is exactly what was expected. However, as scary as a real-time phishing attack may be, it requires that the hacker be at their keyboard at the right moment and act very quickly (like in 30 seconds) to gain access to the victim's online bank account. So unless it can be automated, it doesn't make a lot of sense for the serious criminal. Remember, phishing attacks are committed by organized criminal gangs interested in making a fast buck. This means constant monitoring of the victim online. Traditional phishing sites can harvest more prey, more efficiently, and make more money through passively harvesting credentials than the occasional one-off real-time attack, which depends mostly on luck. Of course, with the right combination of automated scripts and botnets, this could all change.

One-time password token best practices
There are two strategies for successfully and securely implementing OTP tokens: architecture of the token implementation and physical security of the tokens themselves.

In terms of architecture, the first consideration is placement of the token in your system. The most secure use of OTP tokens is for logging in to workstations locally or for accessing an internal network behind a firewall. In an internal network, where all servers are monitored (unlike the open Internet) an MITM attack isn't as likely. But that isn't much help for putting an OTP on a customer-facing Web site, which is the point of the FFIEC guidance. Therefore, a good approach for Web sites is to use Secure Sockets Layer (SSL) for the login page where the OTP value is entered instead of only for the following transaction pages. This encrypts all credentials – both the user ID and password, and the OTP's PIN – from the beginning. Login pages of some Web sites that use plain HTTP may pass credentials openly unencrypted over the Internet, where they can be sniffed.

But SSL itself can't stop a man-in-the-middle attack. SSL with mutual authentication enabled can provide some protection since both the server and client exchange certificates, preventing the type of server spoofing needed for MITM attacks. Design your site with the latest version of SSL that has mutual authentication.

Tokens are also vulnerable to theft, which is why their physical security is equally important for secure implementation. If tokens are stolen en route to customers along with the user's other login credentials, they're as good as compromised. The following are some tips for physically securing one-time password tokens:

• Don't put any identifying marks either on the tokens or on the packaging used to send them to customers. Although attractive as a low-cost small marketing tool, they're also a road sign to thieves, hackers and other malicious users. Company logos and names should be kept on other marketing materials, not on tokens.
• Carefully inventory all token shipments and provide central warehousing for each locality. Keep records of all tokens shipped from the manufacturer with complete lists of all serial numbers. Any missing ranges of serial numbers should be reported to the manufacturer and deactivated.
• Choose the appropriate token for the level of risk of the transaction. Vasco, one of the major token providers, has tokens for different types of transactions, going beyond the simple key fob that generates PINs. They have models resembling pocket calculators with key pads that require a code to be entered just to unlock the display with the PIN.
• Design your system to require a code that has to be appended to the PIN displayed on the OTP. The combined longer number is both unique and harder to crack than the OTP value by itself. Along the same lines, configure longer OTP values, in general. An eight-digit PIN is harder to crack than a six-digit one.
• Keep the time window for displaying the PIN as short as is conveniently possible for your customers. It's harder to steal a PIN in 30 seconds than 60.
• Tokens should only be activated once they're in the hands of an existing customer already registered with your Web site. For even tighter physical control – though a bit extreme – only allow customers to pick up tokens in person at the bank, or a branch. Provide either an online help system, or a customer service number, for customers to call with issues or to deactivate suspicious tokens.

Man-in-the-middle attacks will continue to plague one-time password tokens, but these suggestions should help mitigate the risk and allow for successful FFIEC compliance.

About the Author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in web and application security, and the author of The Little Black Book of Computer Security available from Amazon.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.