Problem solve Get help with specific problems with your technologies, process and projects.

One-time password tokens: Reliable authentication mechanisms?

Thinking of purchasing a key fob? Read this identity management and access management Ask the Expert Q&A, and learn from our expert as he examines the pros and cons of this authentication tool.

One of my customers showed me a key fob that generates a number every 60 seconds. How does the network server remain...

synchronized with this number, and is this a reliable authentication tool?

What you've described is a one-time password (OTP) token, which is a key fob that flashes a new number every few seconds that acts as a password. You can preset how long the number displays for, but the average time is usually in the range of 30 to 60 seconds. You can also set the length of the number, which is often between six and eight digits.

For the most part, these are very reliable authentication tools. They can be the second factor in a two-factor authentication system, which means they provide an extra layer of protection over a single-factor authentication system.

Two-factor authentication, as the name suggests, uses two factors to authenticate a user. A factor can be any one of the following three: something you know, as in a user ID and password, something you have, such as a OTP or smart card, or something you are, which is a personal characteristic like your fingerprint or voice recording. The idea being that combining two factors makes it more difficult for a malicious user to crack your system. If an attacker breaks one authentication factor, they're only halfway there and still have to crack the second factor to break into your system.

An OTP augments a user ID and password system by providing an extra dynamic password, so to speak. User IDs and passwords are static. If they remain unchanged, a hacker can steal them and use them at any time. Therefore, the user or administrator has to change them frequently. An OTP, on the other hand, changes every 30 to 60 seconds. The attacker would have to use a script that could quickly guess the right number among the millions of possible numbers displayed on the device to break into the system.

The network server has proprietary software from the OTP token manufacturer, like RSA and Vasco, that synchronizes the token with the server.

There is some debate within the information security community about the reliability of OTP tokens for authentication. Critics claim a hacker can defeat the device with a man-in-the middle (MITM) attack, which is when a hacker intercepts the token value in real time, along with the user ID and password. The However, again this attacker would have to act fast and use the OTP value within the short timeframe -- between 30 and 60 seconds. Despite this possibility, OTP tokens are still widely regarded as reliable for two-factor authentication.

For more information:

This was last published in June 2006

Dig Deeper on Two-factor and multifactor authentication strategies