One-time passwords with token
1. Introduction
One-time passwords are used to achieve higher security than traditional static passwords. They're often generated by tokens. This article presents how tokens (synchronous and asynchronous) can be used to generate one-time passwords. Moreover, it describes a one-time password system that solves the scalability problem with tokens.
What should you learn next?
2. Identification and authentication
When the user wants to get access to the system, he typically enters a username (identification) and static password (authentication). The authentication can be related to something the user:
- knows (e.g. static password)
- has (e.g. token or mobile)
-
is (e.g. iris scan)
Single-factor authentication takes place when only one of the aforementioned things is taken into account while authenticating the user. The strongest authentication uses all of them and is called three-factor authentication.
A token based one-time password system is a transformation from something the user knows (static password) to something the user has (token). Consequently, the user doesn't have to remember passwords, which are generated by the token.
3. User vs. static passwords
When the attacker gets the static password of the user, he can use it within its lifetime. Many people never change the password. Then, the attacker can impersonate the user for an unlimited time. It isn't much better when an organization changes passwords every month. It still gives the attacker a lot of time to perform malicious actions.
People are advised to use strong passwords (a long mixture of lower and upper case letters, digits, special characters; the more random it is the better), which should be unique for every system. This is fine from a security point of view, but unusable from a user point of view. As a result, people write the passwords down, stick them on the monitor or hide under the keyboard. They also use the same password for different systems. When this is the case, the attacker can automatically impersonate the user in many places.
Let's analyze the aforementioned problems when one-time passwords are used.
4. User vs. One-time passwords
One-time password (also called a dynamic password) should be randomly generated and is used only once. When this password has already been used, it is useless for the attacker (replay attack is prevented).
The user doesn't have to manage/remember one-time passwords. The one-time password is generated by the token and presented to the user if he needs to authenticate. Then the passwords are not taken down or hidden under the keyboard. In addition to this the user doesn't use the same password for many services. Consequently, the attacker cannot automatically impersonate the user in many places.
5. One-time passwords with synchronous token
Time or a counter is used to synchronize the token and the authentication server which share a secret key. Let's assume that time based synchronization is used. Then the secret key and time are used to create the one-time password. The user enters username and the one-time password generated by token to get access to the system. The one-time password might have limited lifetime (for example 60 seconds). When this is the case, the attacker who has learnt the one-time password can use it only within this time range.
6. One-time passwords with asynchronous token
The challenge/response mechanism is used to generate one-time passwords. The authentication server and the user share a secret key. The challenge is sent to the user who enters it into the token. The challenge and the secret key are used to generate the one-time password (the response). Then the user enters username and this one-time password to get access to the system. The authentication server checks if the one-time password it has received matches the expected value.
7. Token and two factor authentication
The authentication with a token is based on what the user has (single factor authentication). The problem occurs, when the token is stolen (the attacker can impersonate the user). That's why it's recommended to enter the PIN before using the token. Then stronger authentication is achieved (two factor authentication – something the user has (token) and something the user knows (PIN)).
The another approach might be combining one-time passwords generated by a token with static password to achieve two factor authentication. Static password is something the user knows, token is something the user has. If the attacker learns the static password of the user, he can't impersonate him, because he doesn't control the user's token.
8. Solving a scalability problem with tokens
The user doesn't want to have N tokens to access N services (scalability problem). This section shows how a single private key stored on the smart card can be used to create one-time password system that is scalable.
The authentication server can generate a one-time password and encrypt it with the public key of the user. The user is the only one, who can decrypt it, because only he knows the corresponding private key. The user decrypts the one-time password and sends it to the authentication server. The authentication server checks whether the one-time password it has received matches the one previously generated. If they match, the user is authenticated. This is called zero knowledge proof – the user doesn't have to show the private key in order to prove that he holds this key. Only the user knows the private key. That's why the non-repudiation is satisfied. Only one private key can be used to get access to many systems. Thus the scalability problem is solved.
Once the private key is stolen, the security is broken. That's why the private key should be securely stored. At first glance, modern smartphones seem to be a good choice for storing the private key – they are ubiquitous and no extra device would be needed for the purpose of authentication. But they are multifunctional devices and have the same security problems as personal computers. That's why it's proposed to use a dedicated device for user authentication.
When a dedicated device is used, the risk of stealing the private key is reduced as a consequence of complexity reduction. That's why it's recommended to store the private key on the smart card. The private key doesn't leave the smart card while the one-time password is being decrypted.
9. Conclusions
What should you learn next?
One-time passwords (also called dynamic passwords) are more secure then static ones. Synchronous and asynchronous tokens can be used to generate one-time passwords. When tokens are used, it is recommended to use them together with PIN or static password to achieve two factor authentication. Zero knowledge proof can be used to create a one-time password system that solves the scalability problem with tokens. Then it is recommended to store the private key on the smart card to minimize the risk of stealing it.
In this Series
- One-time passwords with token
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security