Re: How do OTP tokens work?

On Mar 12, 12:06 am, droid <jshowal...@xxxxxxxxx> wrote:
If this is off-topic here, please direct me to the 'right' group.

I just got a VeriSign Secure Key from PayPal, which is aone timepassword(OTP) token used for two factor authentication (TFA). The
PayPal Secure Key is a sequence-based token. Here's how I think it
works:

Although it displays six digits, I don't think it generates six digit
pseudo-random numbers. Rather, I think the six digits are made-up of
two components. The first component is the next number in the pseudo-
random sequence and the other is an encoding of the number of button
presses there have been.

Given the server 'knows' where in the pseudo-random sequence the key
began and how many key-presses (sequences) there have been, it 'knows'
where the key is in the sequence.

Does anyone know if I'm right about this?

There are also time-based OTP tokens. My nephew uses one at his work
place and I can't figure out how they are kept synchronized with the
login server.

If I suppose time-based tokens had perfect clocks; then given the
server knows both where (in the pseudo-random sequence) and precisely
when (in real time) the device was started; it would always 'know'
exactly where the token is in the sequence. Simple.

But the clocks _can't_ be that precise. I will assume a drift of a
few seconds in three years and that would produce unacceptable login
failure rates.

Does anyone know how time-based tokens work?

Time-based tokens take the time and a shared secret to create the one-
time passcode using a symmetric encryption algorithm, typically AES
these days. To account for clock drift, if the user submits a bad OTP,
the server will search for that OTP in past and future codes to see if
it was or will be valid. If it finds it, it prompts the user for the
next OTP and creates a time-offset entry. Most time-based OTP
servers also allow more than one passcode to be valid at a given
moment. Because the hardware tokens are hard-coded for, say, a 60
second OTP lifetime, a certain number of passcodes on either side of
the current code can be allowed as well. While this decreases user
issues, it might drop you below ANSI 9.9 requirements.

HTH,

Nick Owen

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

.

Relevant Pages

  • Re: Universal grammar
    ... Working math also consists much of human cognitive ... Some aspects of truth exist, but not all which people want. ... question might be--does there exist a sequence of tokens which is ...
    (sci.lang)
  • Re: What does xii.tex do?
    ... fil -> here that means sequence of messages ... What we have to do is to expand all the macros. ... sequence of D tokens, a space, a sequence ofE tokens, a comma, and a ... execute A B C E \D. ...
    (comp.text.tex)
  • How do OTP tokens work?
    ... PayPal Secure Key is a sequence-based token. ... Given the server 'knows' where in the pseudo-random sequence the key ... There are also time-based OTP tokens. ... If I suppose time-based tokens had perfect clocks; ...
    (comp.security.unix)
  • How do OTP tokens work?
    ... PayPal Secure Key is a sequence-based token. ... Given the server 'knows' where in the pseudo-random sequence the key ... There are also time-based OTP tokens. ... If I suppose time-based tokens had perfect clocks; ...
    (comp.security.unix)
  • Re: Dongle coming to you soon
    ... Digipass Go 3 one-time password (OTP) tokens for strong two-factor ... offers both the classic time-synched SecurID (which uses AES to ... authentication servers and agents which support them is OT here, ... otherwise savvy discussion of OTP tokens and strong authentication. ...
    (alt.games.warcraft)