One-time Passwords - Tight Security for Sensitive Data and Responsible Users - Where on the Web is OTP?
(Page 4 of 4 )
Despite the abundant offerings for OTP products for the Web, OTP is still not very popular, at least not for the general public. Though OTP products for the enterprise often offer Web-based OTP as an option, used alone or in combination with other security measures such as PKI authentication and static passwords, OTP solutions are not widely deployed.
There are many potential areas of application for OTP on the Web – from FTP access, to mail, to online banking and e-commerce. These are all areas where unauthorized access gives a lot of headaches to site owners and common users.
While it is more or less obvious why online banking and e-commerce demand increased levels of security, with FTP and mail it is probably not so clear. Offering access to an FTP site with full read, write, and execute privileges is like welcoming hackers to cause damage to your site by uploading whatever content they like and deleting the stuff that does not appeal to them. Since most sites use FTP for uploading their content, it is not difficult to guess what might happen. Yes, there are FTP clients and servers that implement OTP, but as with most other areas, it is an exception rather than a standard.
With mail, similar issues due to unauthorized access arise. But unlike FTP, if a malicious user knows a person's email password, he or she can change it. This makes it possible to deprive the user of his or her mailbox, especially with those providers who do not offer a service that allows a forgotten (or more precisely stolen) password to be mailed to an alternative address. I do not claim that I have checked every single mail provider on Earth, but my humble efforts to find at least one free provider that implements OTP were absolutely unsuccessful. Even mail services that offer 2048-bit encryption do not offer OTP access!
With online banking and e-commerce there are even more OTP solutions, and this is one of the areas on the Web where OTP is most used. Generally, OTP is implemented together with other techniques. For instance, OTP may be transmitted via SMS to a mobile phone or mailed as a printout rather than sent to the user in an email, or time-based passwords that expire in a predefined amount of time are used. Sometimes several one-time passwords are used to complete a single transaction. Most of the time, OTP is only one form of authentication, and used in conjunction with hardware tokens.
Despite its disadvantages, it can be predicted that OTP will become more widely used as user concern about data security grows and users become more demanding about what service they get on the Web. But the coin has two sides; users must get used to the fact that tight security for sensitive data cannot be accomplished without their active and responsible participation. Otherwise, there is no technology that can stop identity theft and financial losses.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |