- Date: January 4th, 2011
- Author: Chad Perrin
The way you get your one-time passwords for entry into the system varies from one one-time password implementation to another. Good systems tend to involve an algorithmically predictable series of passwords over a limited span of time generated in two places: on some kind of one-time, password-generating token or software, and on the system where the one-time password should be entered. Unpredictability for outsiders is introduced by the (cryptographically) random selection of a starting point for the series and what cryptographers call “salting”, where the output of the system is determined in part on some secret variation injected into the algorithm’s operation. Such predictable series are typically only predictable in one direction, and are used in reverse, so that gaining access to a given one-time password in the series will only allow one to predict one-time passwords that have already been used.
Depending on how strictly you define separation of authentication factors, and on how you implement a one-time password system, introducing one-time passwords to your authentication scheme can provide multifactor authentication security. An implementation that involves the use of a separate hardware token, such as a USB device or smartphone that reveals the next password in the cycle when needed, qualifies as “something you have”. The fact that the password must then be entered at a prompt the same way a more traditional, reusable password is entered might prompt some to disqualify this as a second authentication factor because it is conceivable that certain types of attacks can compromise both the reusable password and the one-time password, thanks to the way the password verification of each of the two authentication methods will likely use the same effective implementation of at least part of the process.
Regardless of whether you consider a one-time password system a strictly defined second authentication factor, it can at least provide some of the benefit of multifactor authentication, and make it more difficult for unauthorized parties to get through the authentication process. Operating systems like Debian GNU/Linux and FreeBSD offer easy installation and configuration of one-time password systems, and the Android Market offers a plethora of one-time password applications that can turn your smartphone into a separate hardware token for use in your one-time password system.
The biggest benefit to a one-time password system is probably that it avoids some of the danger of your network traffic being sniffed or a keystroke logger recording everything you type. Certainly, if there is a keystroke logger on your computer you should do something about it anyway — but if a keystroke logger is there and you do not realize it, at least recording a one-time password will not give a malicious security cracker a password that actually provides access to the system later.