Re: How do OTP tokens work?

droid <jshowalter@xxxxxxxxx> writes:

On Mar 12, 9:04 am, Nick Owen <owen.n...@xxxxxxxxx> wrote:

Time-based tokens take the time and a shared secret to create the one-
time passcode using a symmetric encryption algorithm, typically AES
these days. To account for clock drift, if the user submits a bad OTP,
the server will search for that OTP in past and future codes to see if
it was or will be valid. If it finds it, it prompts the user for the
next OTP and creates a time-offset entry. Most time-based OTP

In the case that a passcode is found to have been valid in the past,
makes sense that the server prompts for another so it can create a
time-offset entry in the user's account. But it cannot allow the
(or the next) passcode for login, because someone with temporary
access to the passkey could breach the account by simply recording
a short series of the passcodes.

Any system which allows on a time-based form of one time authentication
will need to keep a record of which tokens are seen unless it can
exclude man in the middle.

(Even if there's only a short window an active attacker can get in if
the used codes are not invalidated; split networks then become an issue
as are challenges sent digit-for-digit as an attacker can easily attempt
to guess the last digit.)

IMHO, only challenge-response is safe and these "convenient" tokens
which just require the number to be typed are not as secure as one
would like.

Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.