One-time Passwords - Tight Security for Sensitive Data and Responsible Users - What Exactly is OTP?
(Page 2 of 4 )
OTP, as the name implies, is a technology that lets a given password be used only once for authentication to access a particular resource. Thus, even if the password is intercepted, it cannot be used again. It is important to note that OTP is used for access control only and not for securing data in transmission. It guards the first step in the process – who is entering. Data still must be encrypted during transfers.
When establishing a new session, the server issues a challenge string, which is different every time, and the user types in his or her password for this session. The response the user inputs is calculated with the help of the MD4, MD5, or SHA1 hashing algorithms. The variables that are required for the calculation are the challenge phrase for the session and the password of the user.
The hashing algorithm computes the response string (the password) and the user types it in at the prompt. It is very important to use a reliable hashing algorithm that makes it impossible to compute any one-time passwords from known previously used passwords. Often, to ensure additional security, this algorithm is tied to a physical device, such as a token that is a one of a kind, and nobody besides the user has the same. A smart card would be one example of such a token.
The crucial part in OTP is the hashing algorithm. If it is possible to break it, then the whole system is at risk. But breaking hashing algorithms is not that easy. When users use an external device, for instance a PDA that is not part of the network, and therefore keylogger and sniffer programs are not running, the incidental breaking of the hashing algorithms is unlikely to happen.
More Web Hosting How-Tos Articles
More By Blue Moon