Problem solve Get help with specific problems with your technologies, process and projects.

How to securely distribute one-time password tokens

In this Ask the Expert Q&A, our identity and access management expert examines how to properly distribute one-time password (OTP) tokens to your employees so they don't leave your systems open to an attack.

What is the most secure way to handle distribution of one-time password (OTP) tokens in an organization?
While issuing one-time password (OTP) tokens to your employees so they can access your systems does add an extra layer of protection, if those tokens aren't distributed properly, they can leave your systems open to an attack.

The biggest danger is either via unauthorized access by an employee, or worse, internal fraud. An unattended token can grant inappropriate access to someone else's account. And while the thief would still need the user's ID and password, they could easily obtain those.

The best way to prevent malicious token use is to educate employees on how to use them securely. Employees should be taught safe password practices, such as not writing them down and posting them by their desk. Employees should lock up their tokens or carry them when not in use. They should also lock their monitors when they get up from their desk, even if it is simply to get a cup of coffee or use the bathroom.

Distribute tokens from a central location or warehouse where they can be inventoried. Keep a record of all tokens received, as well as their serial numbers and apiece count. To verify that the right user received the right token, implement a policy that requires users to send inactive tokens to the help desk or to an online registration system to be activated. That way the help desk or online system can verify the user, ask for the token serial number and match it with the serial number of the sent token. Please keep in mind that the system you choose should depend on the size of your organization. For example, if you work for a large company, it's not a good idea to deluge the help desk with calls to activate tokens.

An alternate system can involve sending a new user an activation code by e-mail. Again, keep in mind that if you use this system only the activation code should be sent to the user. This will prevent theft of the token and its credentials. To activate the token, the code can be entered online at a predetermined registration site.

This was last published in February 2006

Dig Deeper on Two-factor and multifactor authentication strategies