Moving Beyond Passwords towards OTP
Passwords are a necessary evil, and are everywhere. Many organizations still rely completely on passwords for authentication purposes. While most of us are well aware of the limitations of passwords, we rarely move beyond them. How many of us use Two Factor Authentication (2FA) provided by cloud service providers like Google for all the services we use? Very few if any. In this blog post, I hope to steer you towards stronger authentication measures which are cost effective and reduce your reliance on passwords.
What options are available to strengthen security and reduce the dependence on passwords? There are several and before we dive into these, let us understand how different factors are used. There are essentially three factors that can be used in the authentication process:
- What the user knows: Passwords, PINs, etc.
- What the user has: Something that the user possesses like a hardware or software token.
- What the user is: Something intrinsic to the user such as a biometric (finger print, retina scan, etc).
Additional factors can be brought in to strengthen the authentication process. For example: a banking application uses login and password for authentication. But when a high value transaction is to be carried out, then the user needs to enter a One Time Password (OTP). The OTP can be generated on the user’s mobile device or it can be sent to the device. Essentially, the mobile device is something that the user has in her possession.
OTP has several advantages:
- standard based support (HOTP – RFC 4226, TOTP – RFC 6238, OATH)
- as the name suggests these values are valid for one time use only.
- it is very difficult to predict the next OTP value
- OTP is generated or delivered out of band.
Most organizations that use this method require the OTP to be delivered using SMS or text messaging. However, this implies that the user (receiver) needs to bear charges associated with text messaging and needs to be in a mobile coverage area. Also, SMS based delivery is not secure.
A good alternative is to use standard based OTP generation on the “smart”mobile device instead of a delivery based approach. OTP standards like HOTP (HMAC-based One-Time Password Algorithm) and TOTP (Time-based One-Time Password Algorithm) facilitate an OTP generation based model on mobile devices. Both these standards are quite similar, in that they require a shared secret that is shared between the mobile device and the application utilizing OTP services. The only difference is that HOTP uses a counter based synchronization mechanism whereas TOTP is time-based. These standards are blessed by the Internet Engineering Task Force (IETF) and offer dependability.
There are free mobile applications available which take care of locally generating the OTP. Google Authenticator is a good example and supports most mobile flavors from iOS, Android, BlackBerry, etc. I would recommend a free application like Google Authenticator, as it is already leveraged by industry leaders like Google, Amazon Web Services (AWS), etc. The setup process for Google Authenticator is simple and user-friendly.
The server application leveraging OTP will need to be enhanced to add the required support. GS Lab has an OTP library which is standards based and supports both HOTP and TOTP standards. This library is currently geared for Java/ J2EE applications and provides a means to quickly enable your application to support strong two factor authentication. The OTP library works with the free, off-the-shelf Google Authenticator mobile application, which simplifies the deployment process considerably for your users. If you are interested to know more about our OTP library, do drop us a line at firstname.lastname@example.org
In future blog posts, we will do a deep dive on OTP standards and more interesting stuff around context-aware authentication and other concepts.