All You Need to Know About One-Time Passwords
December 9, 2021 · Geraldo Figueras
Access control is critical to managing your data security. Yet, old strategies such as the traditional username/password can be vulnerable.
In this blog post, we’ll look into:
What is the Full Form of OTP?
The full form of OTP means One-Time Password. This password is an auto-generated string of numbers and characters. It is this string that is passed to the user.
Not only is the OTP single-use, but it may also be time-limited. It won’t work after a set period of time.
Service providers are increasingly implementing 2FA. They are favoring one-time passwords instead of static passwords.
Let’s look into the differences between them.
2FA (Two-Factor Authentication) vs Static Passwords
2FA or 2-Factor Authentication is an extra layer of security.
It asks for not only “something you know” – such as your username and password – but also “something you have”.
One common example of “something you have” is your mobile phone’s sim card.
Do you know the difference between you and a bot running a stolen list of passwords? A bot can’t physically steal your phone. So, it won’t be able to accept a passcode via email, SMS, or in-app notification.
This passcode is the OTP or one-time password.
People are bad at creating secure static passwords. Even worse, it’s common to reuse the same password to make things easier.
With the rise in online fraud, static passwords were recognized as a vulnerability. To counter that, 2FA and OTP became the standard security method. Especially for sensitive systems like banks, personal accounts, and shopping carts.
OTP Password Verification for Password Resets
While not all businesses support 2FA to access their services, they may do so for a password reset.
If a user forgets their password, the system may release an OTP that acts as a single-use code. It verifies the user and allows them to reset it to a new password.
How OTPs can Increase Security?
A business can improve its security profile by implementing a one-time password flow. Let’s see how.
Because an OTP is generated by an algorithm, they are far more difficult to crack.
People use words from the dictionary. That means hackers who already have the username (like an email address), have succeeded in accessing sensitive data.
A dictionary is a finite data set, after all.
Run through that set when an algorithm has generated the password, cracking the code becomes way harder.
An OTP has a shelf-life. It will expire after some time. This lessens the chance of malicious interceptors re-playing an authentication attempt.
For example, an OTP per request is frequently used in banking. This means that the user making a payment does not allow the transaction to repeat. Not without extra confirmation.
The avalanche effect
All too often, one successful attack leads to the next successful attack.
A compromised static password is up-for-grabs to be sold on to those hackers who go beyond throwing the dictionary at a login. But with a secure OTP, it’s not possible to replicate the attempt on other fronts.
One-time Password Generator Strategies
One-time passwords are tokens generated according to two main strategies; synchronous or asynchronous.
The synchronous token fits the models we described before. The user tries to log in, and the token goes to “something you have”, such as your sim card or email address.
This is also known as a “soft token” because it is generated by remote software.
The asynchronous token is the approach taken with a challenge/response strategy. It’s the one implemented by banks’ OTP security tokens.
OTP security tokens provide a “hard token” because it is generated by local hardware. They are physical devices with a small screen that look like a small pocket calculator.
This strategy can combine both synchronous and asynchronous OTPs. This provides an extra layer of security.
The user takes something they have – their bank card – and inserts it into the device. Then, they enter something they know – their pin.
The bank provides them with a (synchronous) time-limited one-time pin. Or the “challenge” which the user enters into the device. It provides them with an asynchronous OTP, the “response” to give to the bank.
The physical security token adds a clear security advantage. It’s not vulnerable to sim-cloning, email hacking, or other interception techniques. But it does have to be balanced against the trouble of carrying an extra device.
This is why a similar technology is now available via mobile phone authenticators.
Since everyone holds a mobile phone at all times, it solves the issue of carrying an extra device. The asynchronous token goes to an app on your phone.
The app may even accept biometric data. That means a “something-you-are” level of security to the “have” and “know” requirements.
Similarly, web-based apps can provide the asynchronous token.
They may be remote but also accept users’ biometric data. Also, non-biometrics such as their device’s unique identifiers. Or even further, restricting by user IP or location. This will lower the risk of fraudulent interventions.
Security is the keyword, not a buzzword.
Hackers are willing to sell email addresses and passwords for less than 0.01 US cents apiece. In 2020 alone, cybercrime was estimated to cost 1 trillion dollars.
OTPs or one-time passwords add a dynamic component to the traditional username/password strategy. It’s a critical improvement to system security.
They are easy for systems administrators to implement. Customers clearly understand it, and it’s estimated their use will grow exponentially.