One of my customers showed me a key fob that generates a number every 60 seconds. How does the network server remain...
synchronized with this number, and is this a reliable authentication tool?
What you've described is a one-time password (OTP) token, which is a key fob that flashes a new number every few seconds that acts as a password. You can preset how long the number displays for, but the average time is usually in the range of 30 to 60 seconds. You can also set the length of the number, which is often between six and eight digits.
For the most part, these are very reliable authentication tools. They can be the second factor in a two-factor authentication system, which means they provide an extra layer of protection over a single-factor authentication system.
Two-factor authentication, as the name suggests, uses two factors to authenticate a user. A factor can be any one of the following three: something you know, as in a user ID and password, something you have, such as a OTP or smart card, or something you are, which is a personal characteristic like your fingerprint or voice recording. The idea being that combining two factors makes it more difficult for a malicious user to crack your system. If an attacker breaks one authentication factor, they're only halfway there and still have to crack the second factor to break into your system.
An OTP augments a user ID and password system by providing an extra dynamic password, so to speak. User IDs and passwords are static. If they remain unchanged, a hacker can steal them and use them at any time. Therefore, the user or administrator has to change them frequently. An OTP, on the other hand, changes every 30 to 60 seconds. The attacker would have to use a script that could quickly guess the right number among the millions of possible numbers displayed on the device to break into the system.
The network server has proprietary software from the OTP token manufacturer, like RSA and Vasco, that synchronizes the token with the server.
There is some debate within the information security community about the reliability of OTP tokens for authentication. Critics claim a hacker can defeat the device with a man-in-the middle (MITM) attack, which is when a hacker intercepts the token value in real time, along with the user ID and password. The However, again this attacker would have to act fast and use the OTP value within the short timeframe -- between 30 and 60 seconds. Despite this possibility, OTP tokens are still widely regarded as reliable for two-factor authentication.
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Joel Dubin
Ensuring authenticity of online communications is critical to conduct business. Learn how to use a public key and private key in digital signatures ... Continue Reading
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading