1. Introduction

One-time passwords are used to achieve higher security than traditional static passwords. They’re often generated by tokens. This article presents how tokens (synchronous and asynchronous) can be used to generate one-time passwords. Moreover, it describes a one-time password system that solves the scalability problem with tokens.

2. Identification and authentication

When the user wants to get access to the system, he typically enters a username (identification) and static password (authentication). The authentication can be related to something the user:

  • knows (e.g. static password)
  • has (e.g. token or mobile)
  • is (e.g. iris scan)

Single-factor authentication takes place when only one of the aforementioned things is taken into account while authenticating the user. The strongest authentication uses all of them and is called three-factor authentication.

A token based one-time password system is a transformation from something the user knows (static password) to something the user has (token). Consequently, the user doesn’t have to remember passwords, which are generated by the token.

3. User vs. static passwords

When the attacker gets the static password of the user, he can use it within its lifetime. Many people never change the password. Then, the attacker can impersonate the user for an unlimited time. It isn’t much better when an organization changes passwords every month. It still gives the attacker a lot of time to perform malicious actions.

People are advised to use strong passwords (a long mixture of lower and upper case letters, digits, special characters; the more random it is the better), which should be unique for every system. This is fine from a security point of view, but unusable from a user point of view. As a result, people write the passwords down, stick them on the monitor or hide under the keyboard. They also use the same password for different systems. When this is the case, the attacker can automatically impersonate the user in many places.

Let’s analyze the aforementioned problems when one-time passwords are used.

4. User vs. One-time passwords

One-time password (also called a dynamic password) should be randomly generated and is used only once. When this password has already been used, it is useless for the attacker (replay attack is prevented).

The user doesn’t have to manage/remember one-time passwords. The one-time password is generated by the token and presented to the user if he needs to authenticate. Then the passwords are not taken down or hidden under the keyboard. In addition to this the user doesn’t use the same password for many services. Consequently, the attacker cannot automatically impersonate the user in many places.

5. One-time passwords with synchronous token

Time or a counter is used to synchronize the token and the authentication server which share a secret key. Let’s assume that time based synchronization is used. Then the secret key and time are used to create the one-time password. The user enters username and the one-time password generated by token to get access to the system. The one-time password might have limited lifetime (for example 60 seconds). When this is the case, the attacker who has learnt the one-time password can use it only within this time range.

6. One-time passwords with asynchronous token

The challenge/response mechanism is used to generate one-time passwords. The authentication server and the user share a secret key. The challenge is sent to the user who enters it into the token. The challenge and the secret key are used to generate the one-time password (the response). Then the user enters username and this one-time password to get access to the system. The authentication server checks if the one-time password it has received matches the expected value.

7. Token and two factor authentication

The authentication with a token is based on what the user has (single factor authentication). The problem occurs, when the token is stolen (the attacker can impersonate the user). That’s why it’s recommended to enter the PIN before using the token. Then stronger authentication is achieved (two factor authentication – something the user has (token) and something the user knows (PIN)).

The another approach might be combining one-time passwords generated by a token with static password to achieve two factor authentication. Static password is something the user knows, token is something the user has. If the attacker learns the static password of the user, he can’t impersonate him, because he doesn’t control the user’s token.

8. Solving a scalability problem with tokens

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

The user doesn’t want to have N tokens to access N services (scalability problem). This section shows how a single private key stored on the smart card can be used to create one-time password system that is scalable.

The authentication server can generate a one-time password and encrypt it with the public key of the user. The user is the only one, who can decrypt it, because only he knows the corresponding private key. The user decrypts the one-time password and sends it to the authentication server. The authentication server checks whether the one-time password it has received matches the one previously generated. If they match, the user is authenticated. This is called zero knowledge proof – the user doesn’t have to show the private key in order to prove that he holds this key. Only the user knows the private key. That’s why the non-repudiation is satisfied. Only one private key can be used to get access to many systems. Thus the scalability problem is solved.

Once the private key is stolen, the security is broken. That’s why the private key should be securely stored. At first glance, modern smartphones seem to be a good choice for storing the private key – they are ubiquitous and no extra device would be needed for the purpose of authentication. But they are multifunctional devices and have the same security problems as personal computers. That’s why it’s proposed to use a dedicated device for user authentication.
When a dedicated device is used, the risk of stealing the private key is reduced as a consequence of complexity reduction. That’s why it’s recommended to store the private key on the smart card. The private key doesn’t leave the smart card while the one-time password is being decrypted.

9. Conclusions

One-time passwords (also called dynamic passwords) are more secure then static ones. Synchronous and asynchronous tokens can be used to generate one-time passwords. When tokens are used, it is recommended to use them together with PIN or static password to achieve two factor authentication. Zero knowledge proof can be used to create a one-time password system that solves the scalability problem with tokens. Then it is recommended to store the private key on the smart card to minimize the risk of stealing it.