By Anthony McDougle and Loren Klingman
The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing their password Can add security when used as an additional level of authentication
A new password is generated at each use The password expires after one use and cannot be used again ◦ Cannot be re-used by an interceptor
Facebook ◦ Optional method of logging into public PCs ◦ Generated password is delivered via text message Google ◦ Multi-factor authentication, using standard passwords & a one-time password in order to log in Among many others!
Time-Generated on Server & Client ◦ Requires Synchronization “Seeded” Algorithm ◦ One-way hash function Passwords generated and sent to the user
Mobile Phone App Token-Generating Device Text Message or ◦ Cheapest, but least secure Printed on Paper & Given to User
When a system uses multiple levels and methods of authentication Categories of authentication ◦ Something you are (biometrics) ◦ Something you have (phone, computer) ◦ Something you know (standard password) Can be as simple as having a standard password and a generated one-time password for log ins
Passwords cannot be stolen by traffic-sniffers and key loggers Passwords cannot be cracked by traditional methods Not very susceptible to phishing attempts/non-secure users Passwords are, in theory, not re-usable ◦ Stolen passwords are useless
Theft of the password-generator or a list of valid passwords is still a possibility Cracking the password-generation algorithm In cases of SMS/ /other messaging, the service provider in the middle must prevent interception Malware that can trick a user into giving up a password before its use
One-time passwords are generally safer than regular passwords May be too much ◦ Too many prompts can frustrate users Cost money to implement but often cheaper than other methods such as biometrics
One-time passwords are a much safer alternative ◦ Thwart key loggers, traffic sniffers, phishers One-time password still have vulnerabilities, though they are harder to crack Deciding on the password system depends on the company and the security measures necessary ◦ Different systems may be more cost-effective depending on the need ◦ Find a balance between cost, simplicity, and security