One Time Password¶
links: SPA TOC - Identification Authentication - Index
One Time Password¶
One Time Passwords are passwords that are only valid for one login session or transaction. They are supposed to be more secure than static passwords by reducing the risk of interception and subsequent unauthorized access. OTPs are typically generated by an algorithm that uses a shared secret and a moving factor (current time \(\rightarrow\) TOTP or counter \(\rightarrow\) HOTP). OTPs can be delivered by SMS, email or dedicated authentication applications / devices.
HMAC-based one-time password (HOTP)¶
- Client and server need a constant shared secret
- Synchronized counter on client and server which increments with each authentication attempt
Time-based one-time password (TOTP)¶
Same as HOTP but \(C_T\) is used instead of a counter
Yubico OTP¶
- Client requires a Yubikey
- At manufacturing of the Yubikey an AES key is generated and stored on the Yubikey and the authentication server of Yubico or service's own authentication server
- To generate an OTP: ID, timestamp, counter, session usage counter and random string are used and encrypted with the AES key
- Authentication server can then verify the OTP with the AES key
- Authentication server also checks the counter to avoid replay attacks
Caveats of OTP¶
- Beware of replay attacks \(\rightarrow\) counter fixes this
- Static OTP (e.g. SMS) aren't time or challenge based and have longer window of vulnerability
- Does not prevent MITM
- Susceptible against phishing attacks
- Dynamic Linking is not possible, OTP is too short to contain information about transaction