Solo passwords are dead – or at least they should be!
We’ve come a long way from using ridiculously simple passwords like 123456 or Password.
Or have we?
Too many people still use such easy-to-remember but also easy-to-break passwords to secure their online accounts. The few who do create strong passwords rarely store them securely. Regardless of which camp you fall into, the fact remains that your password is no longer strong enough to function as a first line of defense. It can be easily stolen and decrypted by a bad actor. And by the time you realize this and take necessary action to protect yourself, it may be too late – your data, your money or even your identity may already be compromised. This is why more and more organizations are introducing two-factor authentication (2FA) into their user-facing systems. The goal is to add an extra layer of security to their users’ accounts by making it mandatory for the latter to use a second factor like One-time Password (OTP) in addition to a normal alphanumeric password while logging in. There are various ways to implement 2FA, and the use of OTP (One-Time Password authentication) is one of the most common.
What is a One-time Password (OTP) Authentication?
A one-time password, which adds a second layer of authentication to a system or account, is an easy to use and fairly reliable form of 2FA. Generally, OTPs are automatically generated and consist of a numeric or alphanumeric string of characters that the user must insert into the online system for authentication and access.
As the name suggests, an OTP is valid for only a single (‘one time’) login session or transaction, and for a pre-defined period of time. This means that OTPs cannot be reused. This ‘ephemeral’ nature of an OTP makes it almost impossible for hackers to steal it or intercept it in order to illegally access a user’s account. Another way of saying this is that OTPs are not vulnerable to ‘replay’ attacks and therefore they’re able to overcome many of the shortcomings of traditional password-based systems.
How One-time Password Authentication works
In single-factor authentication (SFA) systems, a user simply enters his email address or user name, plus a password to gain access to a system. If these credentials are correct, he is logged in. The process is simple but it is also inherently insecure because passwords can be easily stolen.
In 2FA systems, once the user’s email address/user name/password is verified, he is asked to enter the OTP he receives from the system. He is logged in only if both his credentials and the OTP entered are correct. OTP-generation algorithms rely on randomness to ensure that future OTPs cannot be predicted or guessed by studying previous OTPs. By adding this additional, deliberately random step to the authentication process, the system ensures that bad actors cannot access the user’s account (unless they can get their hands on both his credentials and his OTP).
Three of the most widely-used methods for generating OTPs are:
- SMS-based: This is an ‘on-demand’ approach where a user receives the OTP as a text message to their registered phone number.
- Hard tokens: This is a hardware device also known as a security token or key fob that is capable of generating OTPs.
- Time-based (TOTP): In this method, a unique OTP is generated using a specific Smartphone application. TOTP is also known as a soft token.
On-demand SMS-based tokens are susceptible to phishing, a technique that cybercriminals use to trick users into sharing their OTP by pretending to be a legitimate source, say, the phone company, or a bank. Hackers can also exploit vulnerabilities in the telecommunications network to intercept OTP codes sent as an SMS message. These are some of the reasons why the U.S. National Institute of Standards and Technology (NIST) recommends that OTPs should not be sent to mobile phones via SMS. Hard tokens are expensive, vulnerable to theft, and their security is compromised when the device is shared (which often happens in organizations). Software-based OTPs (aka Time-based OTP or TOTP) mitigate these issues and offer a number of other advantages over the other two types of OTP systems.
How Time-based OTP (TOTP) works
In the SMS-based and hard token-based OTP systems, the OTP is generated on the server-side. However, a TOTP or soft token is a software program, typically a Smartphone app, that turns the user’s device into an OTP generator. In other words, in the TOTP method, an OTP is created (and displayed) on the user side through a smartphone application on his own device. This means that as long as the user has the device, he will always have access to device-generated OTPs. TOTP is a standardized method based on a ‘secret’ that is ‘shared’ (only) between the user’s device and the application’s server. Popular TOTP authenticator apps include Google Authenticator, Twilio Authy, Duo Mobile, RapidIdentity Mobile, and LastPass 2FA Authenticator.
Here’s how the TOTP setup and authentication process works:
- The first time the user sets up TOTP, the application’s server generates a secret key that is shared by the server and the device.
- The user enters the key into the application. He may also be presented with a QR code which he can scan with his phone instead of manually keying-in the shared secret.
- Once the scan completes, a new user account is created in the app.
- The user can then generate OTPs that change every n number of seconds (i.e. at fixed intervals)
- During authentication, the user simply enters the current OTP generated by the authenticator app along with their user name. Once his credentials are validated, the user can access the website, service, or application.
- Since he is already verified, he no longer needs to enter a shared key (or scan a QR code) in succeeding logins.
Benefits of OTP authentication over traditional (static) passwords
An OTP’s randomness and time-bound nature makes it more secure than a static password that is user-created, often weak, and/or reused across multiple accounts. This is one of the most crucial benefits of OTP-based systems, particularly those utilizing TOTP/soft tokens.
The other benefits of these systems include:
1. Easy to use
The increasing ubiquity of smartphones means that more and more people are comfortable downloading and using authenticator apps like Google Authenticator or Duo Mobile. Moreover, most people tend to keep their devices close at hand, which provides ready and easy access to the mobile authenticator application, as and when required.
2. Invulnerable to ‘replay’ attacks
OTPs eliminate the biggest inherent weakness of traditional passwords – their susceptibility to replay attacks. OTPs are not reusable and have a very short ‘shelf life’. Therefore, even if would-be intruders record them and then try to reuse them to log into a service, they will not work. This protects the user and his account from unauthorized access.
3. Low cost
Software-based OTPs leverage users’ existing mobile devices and require no IT assistance (unless the user is completely new to using Smartphone apps). This offers a low-cost authentication option over hard tokens that are usually purchased by organizations for each of their users. Moreover, many authenticator apps are free to download and use.
Smartphones often come with additional security features like fingerprint readers and PIN codes. These features protect the OTP password generator from unauthorized access even if the user’s device is stolen. Furthermore, since the TOTP is not generated over the Internet and is not visible on locked screens, it is more reliable than SMS-based OTPs which are easier to intercept, steal, and replicate.
5. Can work offline
With TOTP, authentication can happen even if a cell phone signal is not available. This is because the OTPs are generated by a clock-based algorithm where the clocks of the server and the (user’s) device are roughly synchronized. This advantage is especially handy where a wireless signal is not available, e.g. when in-flight airplane mode is turned on.
Is OTP authentication right for your organization?
OTP authentication is a definite step up from old-fashioned, woefully inadequate password-based systems. Plus, soft OTPs use existing mobile devices to bring both security and ease of use, which are advantages for both service providers and end-users.
If your organization is considering OTP authentication, there are several methods you can explore. If you’re not sure which one is right for you, talk to the OTP experts at Verifapp. We offer an integrated application-to-person communications platform which includes secure OTP authentication that is both timely and reliable. To know more, get in touch.