Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

How do OTP Tokens Work?

ActivIdentity : 16 August, 2011  (Technical Article)
ActivIdentity examines One-Time-Password (OTP) tokens and the differences between the technologies and algorithms that they use
How do OTP Tokens Work?
OTP tokens are in the news these days. One particular implementation of the technology has been so successful that its name ‘SecurID’ is almost synonymous with an OTP token.

But according to Julian Lovelock, Senior Director, ActivIdentity, high profile attacks have raised questions as to whether
OTP tokens are fundamentally flawed.

Julian Lovelock stated: “In February 2010 RSA announced that an APT attack had extracted information from their servers. Then in May the network at Lockheed experienced a ‘major disruption’, which was attributed in part to an attack making use of that stolen information,”

“These attacks have inevitably raised questions amongst network security professionals as to whether
OTP tokens are flawed, or does the technology just need tweaking a bit. To answer that question it’s helpful to get a better understanding of how they work. One aspect is key management; another is the token algorithm itself,” continued Julian Lovelock.

It turns out there are different flavours of token algorithm, and they differ in the way they display the ever changing number. These variations influence both the way we use them and their security.

OTP algorithms normally are based on a static key (per device) and to make the numbers (OTPs) change use variable called ‘moving factors’, often time, event or both.

“Some tokens use a time based algorithm. (RSA SecurID fits into this category). The issue with time as a moving factor is obviously that it is a common variable across all devices and everyone in the world knows what the current time is. This means that if you can get to the key of a token and then you know the algorithm (secret sauce) and the current time, voila’ you can generate the changing number,” continued Julian Lovelock.

“Some other tokens use a counter or event (the number of times a user presses the button to display the
OTP) as the moving factor. This means that every token has a differing variable and hence for an attacker it is really difficult to predict what that number is for a particular token. The issue with a simple counter based OTP algorithms is that the OTP does not really expire so it is susceptible to phishing (receiving an alluring email tricking you into entering your OTP).”

Which brings us to another category of
OTP algorithms that use both time and counter and hence really combine the best of properties of both time and counter based tokens. In this case they are more difficult to phish and harder to predict as each token in real life has a differing counter, making a seed compromise much less effective.

Julian Lovelock concluded: “So there you have it! There are actually different
OTP tokens out there and by understanding the differences you can make an informed choice that if you want to replace a token with another you might actually want to ask for one that uses both time and event as moving factors.”
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo