Is a Thaw Coming in the OTP Winter?

By Larry Seltzer  |  Posted 2008-02-13 Print this article Print

There's reason to believe that two-factor authentication will finally move forward in the consumer space.

One-time password tokens of the type made famous by RSA have been securing enterprise networks for many years. In the consumer space they have been a complete dud, but because of work under development for some time, there's a decent chance that could change.

The point of these tokens is to provide two-factor authentication. In addition to just having to provide a password, which can be taken from the user through theft or guile, the user must also provide the code produced by a small electronic token. This code is a one-time password or OTP. The OTP has a short life span and the server can confirm, based on the time and a digital key unique to the user, that it was produced by that token. Therefore the server can be confident that the OTP was produced by the person holding the token.

These tokens are popular not just for corporate logins, but also over the Internet in "business" situations, such as logging into a commercial bank account. Consumer banks, at least in the United States, have only rolled out such devices as small-scale experiments.

There have been several good reasons to suppose that OTP tokens would be unsuccessful with consumers. One of them is token overload: what if multiple services want you to use a token? Are you going to have to have N tokens for N vendors? This problem appears to be on the way to a solution, thanks to standards from OATH, the Initiative for Open Authentication.

OATH is an industry consortium that defines reference hardware and standards for authentication platforms for devices like OTP tokens. It's not just tokens, of course. Probably the ultimate OTP device is the mobile phone; just about everyone has one and it's smart enough to do the job. Whatever the hardware platform. If it's OATH-compatible it should work with an OATH network.

An OATH network ties all the tokens and services together, much as networks like PLUS tied ATMs together. VeriSign has such a network. This also cuts the amount of work services need to do in order to get online.

There is a major downside to two-factor authentication in the consumer space, and that is the man-in-middle attack. Three years ago Bruce Schneier argued to me that two-factor solves nothing in the consumer space, and at the time I bought the argument.

The problem scenario involves software monitoring what the user enters, including the one-time password. They can't just stash it away for future use or sale. The password has a very limited shelf life. They can, on the other hand, immediately launch a session with the institution using the same code and login information. In the case of a "man in the middle" or trojan, probably the best attack is to redirect the user in order to distract them while conducting the theft session. A recent Symantec blog illustrated this point in real-life action with a Trojan horse.

The thing is, Schneier's argument is oversold. There are things banks and other institutions can do to protect against this sort of threat, at least in some cases. In the case of actual malware on the user's system, as in the Symantec example, I think the user really is toast. But in the case of a network man in the middle, such as a phishing site pretending to be PayPal or a bank, it's common for institutions to monitor the network of the user conducting the transaction and, if it's suddenly different (usually in Ohio, now it's in Ukraine), to issue some challenge-response questions, like "What was the first model of car you bought?" or "What was the name of that hot math teacher in 10th grade?"

So two-factor authentication can help impede many identity theft attacks and it puts a burden on attackers to be much quicker and more sophisticated. But it's not a perfect defense by any means and there are certain classes of attacks that it is in a bad position to block.

Does this mean it's useless? I don't think so. If it's an impediment to successful attack then it's a defensive enhancement. I know that if I could use a token on my sensitive logins I'd feel better about them.

And yet it's still an experimental move, at best, for PayPal and the gang. They're afraid of something, and it must be losing customers. They want customers to use online facilities because it's cheaper than having human employees, so they don't want to do anything that will discourage us. They have low expectations of us. But it's coming. Slowly. In my next column I'll examine another development that could facilitate consumer OTP.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack


Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel