Skip to content

One Time Password

links: SPA TOC - Identification Authentication - Index


One Time Password

One Time Passwords are passwords that are only valid for one login session or transaction. They are supposed to be more secure than static passwords by reducing the risk of interception and subsequent unauthorized access. OTPs are typically generated by an algorithm that uses a shared secret and a moving factor (current time \(\rightarrow\) TOTP or counter \(\rightarrow\) HOTP). OTPs can be delivered by SMS, email or dedicated authentication applications / devices.

OTP.png

HMAC-based one-time password (HOTP)

  • Client and server need a constant shared secret
  • Synchronized counter on client and server which increments with each authentication attempt

HOTP.png

HOTP2.png

Time-based one-time password (TOTP)

Same as HOTP but \(C_T\) is used instead of a counter

TOTP.png

Yubico OTP

  • Client requires a Yubikey
  • At manufacturing of the Yubikey an AES key is generated and stored on the Yubikey and the authentication server of Yubico or service's own authentication server
  • To generate an OTP: ID, timestamp, counter, session usage counter and random string are used and encrypted with the AES key
  • Authentication server can then verify the OTP with the AES key
  • Authentication server also checks the counter to avoid replay attacks

Caveats of OTP

  • Beware of replay attacks \(\rightarrow\) counter fixes this
  • Static OTP (e.g. SMS) aren't time or challenge based and have longer window of vulnerability
  • Does not prevent MITM
  • Susceptible against phishing attacks
  • Dynamic Linking is not possible, OTP is too short to contain information about transaction

links: SPA TOC - Identification Authentication - Index