Re: How do OTP tokens work?


Anne & Lynn Wheeler <lynn@xxxxxxxxxx> writes:
OTP tokens tend to be similarly limited ... effectively
institutional-centric ... if they were ever to really catch one, a
person would have to carry as many OTP tokens (one for every unique
security domain) as they currently require (shared-secret) passwords
(large scores of such tokens). This is one of the seductive problems
that most CSOs don't consider when specifying institutional-centric
authentication solution (whether password-based or token-based).

re:
http://www.garlic.com/~lynn/2008f.html#49 How do OTP tokens work?

in general, unique values on each authentication are countermeasures to
replay attacks .... frequently when there are evesdropping, skimming,
harvesting, etc vulnerabilities.

unique transmitted values can be based on a secret shared between the
two end-points ... in which case, they still come under various shared
secret guidelines (like unique shared secret for different, unique
security domains). An institutional orientation frequently is that there
is one and only one such relationship for a person ... and the
institution can make it as difficult and onerous as possible ... since
they are the only one (whether it is frequently changed, impossible to
remember passwords or tokens that have to be carried, aka it is possible
for both "something you know" and "something you have" authentication
mechanisms to be based on underlying shared secret).

as the electronic institutional relationships have proliferated ... the
proliferating shared secret based paradigm has become onerous for
individuals (whether the shared secrets are expressed as static
information or implemented with some sort of unique value each time).

person-centric paradigm would allow an individual to use some common
authentication mechanism across the rapidly proliferating institutional
relationships (and significantly mitigate the increasingly onerous load
being placed on individuals by institutional centric approaches).

a likely institutional-centric transition to token infrastructure would
start to substitute a token for each of the large scores of passwords
that an individuals currently have to deal with. this would be akin to
individuals that walk around with 30-40 keys on large ring tethered to
their side (only possibly much worse, instead of a few scores of
physical keys ... there could be several times that number of tokens).
.