Home > Security Tips > Compliance Counselor > One-time password tokens: Best practices for two-factor authentication
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

COMPLIANCE COUNSELOR

One-time password tokens: Best practices for two-factor authentication


Joel Dubin
09.18.2006
Rating: -4.00- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


The recent phishing attack on Citibank's one-time password (OTP) authentication has questioned the viability of OTP tokens as a secure method for two-factor authentication. That concern is even greater among banks who had pinned their hopes on using tokens to meet the Federal Financial Institutions Examination Council (FFIEC)'s recommendation that they implement two-factor authentication to protect their Internet banking Web sites from malicious access. Does that mean the end for OTP tokens as a way to comply with the FFIEC? Not exactly. One-time password tokens can still be effective for two-factor authentication depending on how and where they're implemented.

OTP tokens generate new PIN numbers every 30 to 60 seconds and can be used in addition to static user IDs and passwords to log on to a Web site. The idea is that if the static credentials are stolen, say, in a phishing attack, the malicious user would still have to guess the PIN to gain access. But since the time window is short to guess the PIN, it would be nearly impossible to break in.

MITM attacks and one-time passwords
Information security professionals have known for a while that OTP tokens are susceptible to man-in-the-middle (MITM) attacks. So the Citibank attack was no surprise. It was a real-time phishing attack, which is exactly what was expected. However, as scary as a real-time phishing attack may be, it requires that the hacker be at their keyboard at the right moment and act very quickly (like in 30 seconds) to gain access to the victim's online bank account. So unless it can be automated, it doesn't make a lot of sense for the serious criminal. Remember, phishing attacks are committed by organized criminal gangs interested in making a fast buck. This means constant monitoring of the victim online. Traditional phishing sites can harvest more prey, more efficiently, and make more money through passively harvesting credentials than the occasional one-off real-time attack,



which depends mostly on luck. Of course, with the right combination of automated scripts and botnets, this could all change.

One-time password token best practices
There are two strategies for successfully and securely implementing OTP tokens: architecture of the token implementation and physical security of the tokens themselves.

In terms of architecture, the first consideration is placement of the token in your system. The most secure use of OTP tokens is for logging in to workstations locally or for accessing an internal network behind a firewall. In an internal network, where all servers are monitored (unlike the open Internet) an MITM attack isn't as likely. But that isn't much help for putting an OTP on a customer-facing Web site, which is the point of the FFIEC guidance. Therefore, a good approach for Web sites is to use Secure Sockets Layer (SSL) for the login page where the OTP value is entered instead of only for the following transaction pages. This encrypts all credentials – both the user ID and password, and the OTP's PIN – from the beginning. Login pages of some Web sites that use plain HTTP may pass credentials openly unencrypted over the Internet, where they can be sniffed.

But SSL itself can't stop a man-in-the-middle attack. SSL with mutual authentication enabled can provide some protection since both the server and client exchange certificates, preventing the type of server spoofing needed for MITM attacks. Design your site with the latest version of SSL that has mutual authentication.

Tokens are also vulnerable to theft, which is why their physical security is equally important for secure implementation. If tokens are stolen en route to customers along with the user's other login credentials, they're as good as compromised. The following are some tips for physically securing one-time password tokens:

Man-in-the-middle attacks will continue to plague one-time password tokens, but these suggestions should help mitigate the risk and allow for successful FFIEC compliance.

About the Author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP in security, specializing in web and application security, and the author of The Little Black Book of Computer Security available from Amazon.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Compliance Counselor,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Compliance Counselor
Common PCI questions: Web application firewalls or source code review?
PCI management: The case for Web application firewalls
The basics of enterprise GRC project management
PCI DSS: The structure of a standard
How to choose between source code reviews or Web application firewalls
HIPAA compliance: New regulations change the game
Data security best practices for PCI DSS compliance
Key elements of a HIPAA compliance checklist
A preview of PCI virtualization specifications
Strategies for email archiving and meeting compliance regulations

Security Token and Smart Card Technology
Risk management must include physical-logical security convergence
RSA researcher Ari Juels: RFID tags may be easily hacked
Portable security storage device could replace OTP devices
Can you combine RFID tag technology with GPS to track stolen goods?
Security token and smart card authentication
Hackers can target embedded smart card chips
What should an enterprise look for in a password token and a vendor?
Are smart cards insecure if Mifare Classic RFID encryption is cracked?
What are good features to look for in access control software?
Secure Computing SafeWord 2008 product review

Email and Messaging Threats (spam, phishing, instant messaging)
Chained Exploits: How to prevent phishing attacks from corporate spies
3FN.net ISP shutdown interrupts spam campaigns
Swine flu outbreak results in spam pandemic
What does 'invoked by uid 78' mean?
Economy fuels malware, spam
Internet Explorer 8 includes a bevy of security features
Adobe JBIG2 exploits being spammed, IBM warns
Fierce competition prompted new Cisco email security options
Cisco brings email security appliances closer to SaaS
Cisco offers more email security choices, but lacks vision
Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
authentication server  (SearchSecurity.com)
Chameleon Card  (SearchSecurity.com)
key chain  (SearchSecurity.com)
key fob  (SearchSecurity.com)
key string  (SearchSecurity.com)
national identity card  (SearchSecurity.com)
security token  (SearchSecurity.com)
smart card  (SearchSecurity.com)
tokenization  (SearchSecurity.com)
two-factor authentication  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
More Security Resources for Resellers, VARs and OEMs
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts