Feb 21, 2018 Google Authenticator app supports both Time-based One-Time Password (TOTP) and HMAC-based one-time password (HOTP) OTP generation algorithms, which allows using it with more resources. TOTP is more widespread and reliable – this is an algorithm in which time is used as one of the parameters for one-time passwords generation. Issuername (str) – the name of the OTP issuer; this will be the organization title of the OTP entry in Authenticator; algorithm (str) – the algorithm used in the OTP generation. Digits (int) – the length of the OTP generated code. Period (int) – the number of seconds the OTP generator is set to expire every code. Returns: provisioning uri.
A one-time password (OTP), also known as one-time pin or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).
The most important advantage that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will no longer be valid. A second major advantage is that a user who uses the same (or similar) password for multiple systems, is not made vulnerable on all of them, if the password for one of these is gained by an attacker. A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further.
OTPs have been discussed as a possible replacement for, as well as enhancer to, traditional passwords. On the downside, OTPs are difficult for human beings to memorize. Therefore, they require additional technology to work.[clarification needed]
How OTPs are generated and distributed[edit]
OTP generation algorithms typically make use of pseudorandomness or randomness, making prediction of successor OTPs by an attacker difficult, and also cryptographic hash functions, which can be used to derive a value but are hard to reverse and therefore difficult for an attacker to obtain the data that was used for the hash. This is necessary because otherwise it would be easy to predict future OTPs by observing previous ones. Concrete OTP algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below:
There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging. Finally, in some systems, OTPs are printed on paper that the user is required to carry.
Methods of generating the OTP[edit]Time-synchronized[edit]
A time-synchronized OTP is usually related to a piece of hardware called a security token (e.g., each user is given a personal token that generates a one-time password). It might look like a small calculator or a keychain charm, with an LCD that shows a number that changes occasionally. Inside the token is an accurate clock that has been synchronized with the clock on the proprietary authentication server. On these OTP systems, time is an important part of the password algorithm, since the generation of new passwords is based on the current time rather than, or in addition to, the previous password or a secret key. This token may be a proprietary device, or a mobile phone or similar mobile device which runs software that is proprietary, freeware, or open-source. An example of time-synchronized OTP standard is Time-based One-time Password Algorithm (TOTP). Some applications can be used to keep time-synchronized OTP, like Google Authenticator and password manager.
All of the methods of delivering the OTP below may use time-synchronization instead of algorithms.
Mathematical algorithms[edit]
Each new OTP may be created from the past OTPs used. An example of this type of algorithm, credited to Leslie Lamport, uses a one-way function (call it f). This one-time password system works as follows:
To get the next password in the series from the previous passwords, one needs to find a way of calculating the inverse functionf−1. Since f was chosen to be one-way, this is extremely difficult to do. If f is a cryptographic hash function, which is generally the case, it is assumed to be a computationally intractable task. An intruder who happens to see a one-time password may have access for one time period or login, but it becomes useless once that period expires. The S/KEY one-time password system and its derivative OTP are based on Lamport's scheme.
In some mathematical algorithm schemes, it is possible for the user to provide the server with a static key for use as an encryption key, by only sending a one-time password.[1]
The use of challenge-response one-time passwords requires a user to provide a response to a challenge. For example, this can be done by inputting the value that the token has generated into the token itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords. However, the computation does not usually[citation needed] involve the previous one-time password; that is, usually this or another algorithm is used, rather than using both algorithms.
The methods of delivering the OTP which are token-based may use either of these types of algorithm instead of time-synchronization.
Methods of delivering the OTP[edit]Phones[edit]
A common technology used for the delivery of OTPs is text messaging. Because text messaging is a ubiquitous communication channel, being directly available in nearly all mobile handsets and, through text-to-speech conversion, to any mobile or landline telephone, text messaging has a great potential to reach all consumers with a low total cost to implement. OTP over text messaging may be encrypted using an A5/x standard, which several hacking groups report can be successfully decrypted within minutes or seconds.[2][3][4][5] Additionally, security flaws in the SS7 routing protocol can and have been used to redirect the associated text messages to attackers; in 2017, several O2 customers in Germany were breached in this manner in order to gain access to their mobile banking accounts. In July 2016, the U.S. NIST issued a draft of a special publication with guidance on authentication practices, which discourages the use of SMS as a method of implementing out-of-band two-factor authentication, due to the ability for SMS to be intercepted at scale.[6][7][8] Text messages are also vulnerable to SIM swap scams—in which an attacker fraudulently transfers a victim's phone number to their own SIM card, which can then be used to gain access to messages being sent to it.[9][10]
On smartphones, one-time passwords can also be delivered directly through mobile apps, including dedicated authentication apps such as Authy and Google Authenticator, or within a service's existing app, such as in the case of Steam. These systems do not share the same security vulnerabilities as SMS, and do not necessarily require a connection to a mobile network to use.[11][8][12]
Proprietary tokens[edit]
RSA SecurID security tokens.
RSA Security's SecurID is one example of a time-synchronization type of token, along with HID Global's solutions. Like all tokens, these may be lost, damaged, or stolen; additionally there is an inconvenience as batteries die, especially for tokens without a recharging facility or with a non-replaceable battery. A variant of the proprietary token was proposed by RSA in 2006 and was described as 'ubiquitous authentication', in which RSA would partner with manufacturers to add physical SecurID chips to devices such as mobile phones.
Recently, it has become possible to take the electronic components associated with regular keyfob OTP tokens and embed them in a credit card form factor. However, the thinness of the cards, at 0.79mm to 0.84mm thick, prevents standard components or batteries from being used. Special polymer-based batteries must be used which have a much lower battery life than coin (button) cells. Semiconductor components must not only be very flat but must minimise power used in standby and when operating.
Yubico offers a small USB token with an embedded chip that creates an OTP when a key is pressed and simulates a keyboard to facilitate easily entering a long password.[13] Since it is a USB device it avoids the inconvenience of battery replacement.
A new version of this technology has been developed that embeds a keypad into a payment card of standard size and thickness. The card has an embedded keypad, display, microprocessor and proximity chip.
Web-based methods[edit]
Authentication-as-a-service providers offer various web-based methods for delivering one-time passwords without the need for tokens. One such method relies on the user’s ability to recognize pre-chosen categories from a randomly generated grid of pictures. When first registering on a website, the user chooses several secret categories of things; such as dogs, cars, boats and flowers. Each time the user logs into the website they are presented with a randomly generated grid of pictures. Each picture in the grid has a randomly generated alphanumeric character overlaid on it. The user looks for the pictures that fit their pre-chosen categories and enters the associated alphanumeric characters to form a one-time access code.[14][15]
Hardcopy otp[1][edit]
Paper-based OTP web-site login
In some countries' online banking, the bank sends to the user a numbered list of OTPs that is printed on paper. Other banks send plastic cards with actual OTPs obscured by a layer that the user has to scratch off to reveal a numbered OTP. For every online transaction, the user is required to enter a specific OTP from that list. Some systems ask for the numbered OTPs sequentially, others pseudorandomly choose an OTP to be entered. In Germany and many other countries like Austria and Brazil,[16] those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs').
Comparison of technologies[edit]Comparison of OTP implementations[edit]
The cheapest OTP solutions are those that deliver OTPs on paper, and those that generate OTPs on an existing device, without the costs associated with (re-)issuing proprietary electronic security tokens and SMS messaging.
For systems that rely on electronic tokens, algorithm-based OTP generators must cope with the situation where a token drifts out-of-sync with its server if the system requires the OTP to be entered by a deadline. This leads to an additional development cost. Time-synchronized systems, on the other hand, avoid this at the expense of having to maintain a clock in the electronic tokens (and an offset value to account for clock drift). Whether or not OTPs are time-synchronized is basically irrelevant for the degree of vulnerability, but it avoids a need to re-enter passwords if the server is expecting the last or next code that the token should be having because the server and token have drifted out-of-sync.
Use of an existing mobile device avoids the need to obtain and carry an additional OTP generator. The battery may be recharged; as of 2011 most small card devices do not have rechargeable, or indeed replaceable, batteries. However, most proprietary tokens have tamper-proof features.
OTPs versus other methods of securing data[edit]
One-time passwords are vulnerable to social engineering attacks in which phishers steal OTPs by tricking customers into providing one or more OTPs that they used in the past. In late 2005 customers of a Swedish bank were tricked into giving up their one-time passwords.[17] In 2006 this type of attack was used on customers of a US bank.[18] Even time-synchronized OTPs are vulnerable to phishing, by two methods: The password may be used as quickly by the attacker as the legitimate user, if the attacker can get the OTP in plaintext quickly enough. The other type of attack—which may be defeated by OTP systems implementing the hash chain as discussed above—is for the phisher to use the information gained (past OTP codes which are no longer valid) by this social-engineering method to predict what OTP codes will be used in the future. For example, an OTP password-generator that is pseudo-random rather than truly random might or might not be able to be compromised, because pseudo-random numbers are often predictable once one has the past OTP codes. An OTP system can only use truly random OTPs if the OTP is generated by the authenticator and transmitted (presumably out-of-band) to the user; otherwise, the OTP must be independently generated by each party, necessitating a repeatable, and therefore merely pseudo-random, algorithm.
Although OTPs are in some ways more secure than a static memorized password, users of OTP systems are still vulnerable to man-in-the-middle attacks. OTPs should therefore not be disclosed to any third parties, and using an OTP as one layer in layered security is safer than using OTP alone; one way to implement layered security is to use an OTP in combination with a password that is memorized by the user (and never transmitted to the user, as OTPs often are). An advantage to using layered security is that a single sign-on combined with one master password or password manager becomes safer than using only 1 layer of security during the sign-on, and thus the inconvenience of password fatigue is avoided if one usually has long sessions with many passwords that would need to be entered mid-session (to open different documents, websites, and applications); however, the disadvantage of using many forms of security all at once during a single sign-on is that one has the inconvenience of more security precautions during every login—even if one is logging in only for a brief usage of the computer to access information or an application that doesn't require as much security as some other top-secret items that computer is used for. See also Related technologies, below.
Related technologies[edit]
More often than not, one-time passwords are an embodiment of two-factor authentication (2FA or T-FA). 2FA is a form of layered security where it is unlikely that both layers would be compromised by someone using only one type of attack.
Otp Generation Of The Key West
Some single sign-on solutions make use of one-time passwords.
One-time password technology is often used with a security token.
Standardization[edit]
Many OTP technologies are patented. This makes standardization in this area more difficult, as each company tries to push its own technology. Standards do, however, exist – for example, RFC 1760 (S/KEY), RFC 2289 (OTP), RFC 4226 (HOTP) and RFC 6238 (TOTP).
See also[edit]
References[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=One-time_password&oldid=950464009'
by Prakash Sharma
With the increase in cyber security threats, it has become more and more necessary to upgrade the security standards of your web applications. You need to make sure your users’ accounts are safe.
Nowadays, a lot of online web applications are asking users to add an extra layer of security for their account. They do it by enabling 2-factor authentication. There are various methods of implementing 2-factor authentication, and TOTP (the Time-based One-Time Password algorithm) authentication is one of them.
This article explains what it is, and how and why to use it. But before understanding that, let’s first briefly take a look at what two-factor authentication means.
What is Two Factor Authentication?
Two-factor authentication (or multi factor authentication) is just an extra layer of security for a user’s account. That means that, after enabling two factor authentication, the user has to go through one more step to log in successfully. For example, the usual steps for logging in to an account are:
But after enabling 2-factor authentication, the steps look something like this:
![]()
So this adds one more step to the login process. This method is more secure, because a criminal cannot access the user’s account unless they have access to both the user’s regular password and one time password.
Currently, there are two widely used methods to get that one time password:
The SMS-based method does not need any explanation. It’s easy, but it has its own problems, like waiting for the SMS on every login attempt, security issues, and so on. The TOTP-based method is becoming popular because of it’s advantages over the SMS-based method. So let’s understand how the TOTP-based method works.
How the TOTP-based method works
Before understanding this, let’s first discuss what problems this method will solve for us.
By using the TOTP method, we are creating a one time password on the user side (instead of server side) through a smartphone application.
![]()
This means that users always have access to their one time password. So it prevents the server from sending a text message every time user tries to login.
Also, the generated password changes after a certain time interval, so it behaves like a one time password.
Great! Now let’s understand the workings of the TOTP-method and try to implement the above solution ourselves. Our requirement here is to create a password on the user side, and that password should keep changing.
The following could be a way to implement this solution:
This should work, but there are three main problems with it:
The solution to the first problem is defined in the HOTP algorithm.
Understanding HOTP:Otp Generation Of The Key 2017
HOTP stands for “HMAC-Based One-Time Password”. This algorithm was published as RFC4226 by the Internet Engineering Task Force (IETF). HOTP defines an algorithm to create a one time password from a secret key and a counter.
You can use this algorithm in two steps:
2. In this code, the output would be a 20 byte long string. That long string is not suitable as a one time password. So we need a way to truncate that string. HOTP defines a way to truncate that string to our desired length.
It might look scary, but it is not. In this algorithm, we first obtain
offset which is the last 4 bits of hmacHash[19] . After that, we concatenate the bytes from hmacHash[offset] to hmacHash[offset+3] and store the last 31 bits to truncatedHash . Finally, using a simple modulo operation, we obtain the one time password that’s a reasonable length.
This pretty much defines the HOTP algorithm. The RFA4226 doc explains why this is the most secure way to obtain a one time password from these two values.
Great! So we have found a way to obtain a one time password using a secret key and counter. But what about the second problem? How to keep track of the counter?
The solution to second problem is found in the TOTP.
Understanding TOTP:
TOTP stands for “Time-Based One-Time Password”. This was published as RFC6238 by IETF.
A TOTP uses the HOTP algorithm to obtain the one time password. The only difference is that it uses “Time” in the place of “counter,” and that gives the solution to our second problem.
That means that instead of initializing the counter and keeping track of it, we can use time as a counter in the HOTP algorithm to obtain the OTP. As a server and phone both have access to time, neither of them has to keep track of the counter.
Also, to avoid the problem of different time zones of the server and phone, we can use a Unix timestamp, which is independent of time zones.
Otp Generation Of The Keys
However the Unix time is defined in seconds, so it changes every second. That means the generated password will change every second which is not good. Instead, we need to add a significant interval before changing the password. For example, the Google Authenticator App changes the code every 30 seconds.
So we have solved the problem of the counter. Now we need to address our third problem: sharing the secret key with the phone application. Here, a QR code can help us.
Using a QR code
Though we can ask the users to type the secret key into their phone application directly, we want to make secret keys quite long for security reasons. Asking the user to type in such a long string would not be a user friendly experience.
Since the majority of smartphones are equipped with a camera, we can use it and ask the user to scan a QR code to obtain the secret key from it. So all we need to do is to convert the secret key in the QR code and show it to the user.
We have solved all three problems! And now you know how TOTP works. Let’s see how to implement it in an application.
How to implement TOTP
There are some free phone applications (like Google Authenticator App, Authy, and so on) available which can generate an OTP for the user. Therefore, in most cases, creating your own phone application is not necessary.
The following pseudo codes explain a way to implement TOTP-based 2-factor authentication in a web application.
The user is asked to scan that QR code. When the phone application scans the QR code, it gets the user’s secret key. Using that secret key, the current Unix time, and the HOTP algorithm, the phone application will generate and display the password.
We ask the user to type the generated code after scanning the QR code. This is required, because we want to make sure that the user has successfully scanned the image and the phone application has successfully generated the code.
Otp Generation Of The Key Code
Here we use the HOTP algorithm on the server side to get the OTP-based authentication on the secret key and current unix time. If that OTP is the same as the one typed by the user, then we can enable 2-factor authentication for that user.
Now after every login operation, we need to check if this particular user has 2-factor authentication enabled. If it is enabled, then we ask for the one time password displayed in the phone application. And if that typed code is correct, only then is the user authenticated.
What happens if the user loses the code?
There are a couple of ways to help the user to recover the code. Usually when they are enabling 2-factor authentication, we can show the secret key to them along with the QR code and ask them to save that code somewhere safely.
Applications like Google Authenticator App let you generate the password by directly entering the secret key. If the user loses the code, they can enter that safely saved secret key in the phone application to generate the OTP again.
If we have the user’s phone number, we can also use the SMS-based method to send an OTP to the user to help them recover the code.
Wrapping Up
Two factor authentication is gaining popularity. A lot of web applications are implementing it for extra security.
Unlike the SMS-based method, the TOTP method does not require a lot of extra effort either. So this feature is worth implementing for any application.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |