With two factor authentication the "something they have is a physical
device" therefore it must be present to log on and only the original owner
would have the physical device, in this case the USB token.
-----Original Message-----
From: james [mailto:james@tlhenterprises.net]
Sent: Monday, June 20, 2005 4:58 PM
To: james@tlhenterprises.net; webappsec@securityfocus.com;
maburns@safenet-inc.com
Subject: RE: one-time password (OTP) authentication
The list is the something they have, *not* the something they know. In
addition to using it to authenticate they also must have their regular
username/password that should not be written down anywhere.
---------- Original Message ----------------------------------
From: maburns@safenet-inc.com
Date: Mon, 20 Jun 2005 13:21:14 -0700
Regardless of saving the money on a two factor USB token that range
from for
$29-$55 I think this approach mentioned is so insecure..." The
administrator prints off a list of one-time passwords and delivers a
hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff)"
The power of two-factor authentication is that Nothing is written down
which is part of the reason passwords are so insecure
Two-factor authentication is 1) "something physical only the user has" -
like an USB Key which is the same as a ATM card and 2) a "pin # that
only user knows" . This is not difficult to implement there are SDK's
available and users trust their ATM cards so making the jump to a USB
token would not be too difficult
Mary Ann
-----Original Message-----
From: james [mailto:james@tlhenterprises.net]
Sent: Saturday, June 18, 2005 9:16 PM
To: webappsec@securityfocus.com
Subject: one-time password (OTP) authentication
Two-factor authentication (authenticating user with something they know
AND something they possess) is becoming more and more popular due to
increasing security requirements and the prevalence of spyware
software. However, in open source projects, solutions such as RSA
securID, smartcards, etc. are not always feasible because of funding,
licensing, or other constraints.
Here is a complete, standards-based, open source, no-hardware solution.
Here is a PHP implementation for generating, challenging, and
authenticating one-time passwords according to RFC 2289. (go to
http://www.dcphp.com/Developers/files/otp_pub.zip
to download) Below are two scenarious for OTP use.
Scenario A:
Users across an organization need access to corporate resources at
home, on the road, in airplanes, etc. Users are many (>1000) and
geographically distributed. A user applies for access and is approved.
The administrator prints off a list of one-time passwords and delivers
a hard-copy via physical medium (fax, phone, snail-mail, person-to-person
handoff).
Scenario B:
Users self-register for a commercial (or other) website. Once
successfully registered, the user is given the option to generate a
list of one-time passwords and use them for authentication in addition
to their username/password (of course, user can ignore OTP from certain
trusted computers, such as the one they registered from, if they trust
it). The user can generate new OTP's at any time once authenticated.
When the user logs in, they use their username,password, and a
one-time-password (which one depends on which one they are prompted for
by the server). The OTP expires immediately upon authentication. Now,
if a hacker intercepts all three tokens, they are still unable to
perform a replay attack because the third token is already invalidated.
Their is a race condition if they are watching real-time, but this can
be accounted for via transaction locking in the session handling code.
--
the brown cow
--
