850 likes | 2.02k Views
One-Time Passwords. By Anthony McDougle and Loren Klingman. Why Use One-Time Passwords?. The average user does not have secure passwords Simple passwords Reusing the same password Never changing their password Can add security when used as an additional level of authentication.
E N D
One-Time Passwords By Anthony McDougle and Loren Klingman
Why Use One-Time Passwords? • The average user does not have secure passwords • Simple passwords • Reusing the same password • Never changing their password • Can add security when used as an additional level of authentication
What Are One-Time Passwords? • A new password is generated at each use • The password expires after one use and cannot be used again • Cannot be re-used by an interceptor
Who Uses One-Time Passwords • Facebook • Optional method of logging into public PCs • Generated password is delivered via text message • Google • Multi-factor authentication, using standard passwords & a one-time password in order to log in • Among many others!
How It Works • Time-Generated on Server & Client • Requires Synchronization • “Seeded” Algorithm • One-way hash function • Passwords generated and sent to the user
Password Distribution • Mobile Phone App • Token-Generating Device • Text Message or E-mail • Cheapest, but least secure • Printed on Paper & Given to User
Multi-Factor Authentication • When a system uses multiple levels and methods of authentication • Categories of authentication • Something you are (biometrics) • Something you have (phone, computer) • Something you know (standard password) • Can be as simple as having a standard password and a generated one-time password for log ins
Benefits • Passwords cannot be stolen by traffic-sniffers and key loggers • Passwords cannot be cracked by traditional methods • Not very susceptible to phishing attempts/non-secure users • Passwords are, in theory, not re-usable • Stolen passwords are useless
Vulnerabilities • Theft of the password-generator or a list of valid passwords is still a possibility • Cracking the password-generation algorithm • In cases of SMS/e-mail/other messaging, the service provider in the middle must prevent interception • Malware that can trick a user into giving up a password before its use
Other Pros & Cons • One-time passwords are generally safer than regular passwords • May be too much • Too many prompts can frustrate users • Cost money to implement but often cheaper than other methods such as biometrics
Conclusion • One-time passwords are a much safer alternative • Thwart key loggers, traffic sniffers, phishers • One-time password still have vulnerabilities, though they are harder to crack • Deciding on the password system depends on the company and the security measures necessary • Different systems may be more cost-effective depending on the need • Find a balance between cost, simplicity, and security