Is a Thaw Coming in the OTP Winter?

There's reason to believe that two-factor authentication will finally move forward in the consumer space.

One-time password tokens of the type made famous by RSA have been securing enterprise networks for many years. In the consumer space they have been a complete dud, but because of work under development for some time, there's a decent chance that could change.

The point of these tokens is to provide two-factor authentication. In addition to just having to provide a password, which can be taken from the user through theft or guile, the user must also provide the code produced by a small electronic token. This code is a one-time password or OTP. The OTP has a short life span and the server can confirm, based on the time and a digital key unique to the user, that it was produced by that token. Therefore the server can be confident that the OTP was produced by the person holding the token.

These tokens are popular not just for corporate logins, but also over the Internet in "business" situations, such as logging into a commercial bank account. Consumer banks, at least in the United States, have only rolled out such devices as small-scale experiments.

There have been several good reasons to suppose that OTP tokens would be unsuccessful with consumers. One of them is token overload: what if multiple services want you to use a token? Are you going to have to have N tokens for N vendors? This problem appears to be on the way to a solution, thanks to standards from OATH, the Initiative for Open Authentication.

OATH is an industry consortium that defines reference hardware and standards for authentication platforms for devices like OTP tokens. It's not just tokens, of course. Probably the ultimate OTP device is the mobile phone; just about everyone has one and it's smart enough to do the job. Whatever the hardware platform. If it's OATH-compatible it should work with an OATH network.

An OATH network ties all the tokens and services together, much as networks like PLUS tied ATMs together. VeriSign has such a network. This also cuts the amount of work services need to do in order to get online.

There is a major downside to two-factor authentication in the consumer space, and that is the man-in-middle attack. Three years ago Bruce Schneier argued to me that two-factor solves nothing in the consumer space, and at the time I bought the argument.

The problem scenario involves software monitoring what the user enters, including the one-time password. They can't just stash it away for future use or sale. The password has a very limited shelf life. They can, on the other hand, immediately launch a session with the institution using the same code and login information. In the case of a "man in the middle" or trojan, probably the best attack is to redirect the user in order to distract them while conducting the theft session. A recent Symantec blog illustrated this point in real-life action with a Trojan horse.

The thing is, Schneier's argument is oversold. There are things banks and other institutions can do to protect against this sort of threat, at least in some cases. In the case of actual malware on the user's system, as in the Symantec example, I think the user really is toast. But in the case of a network man in the middle, such as a phishing site pretending to be PayPal or a bank, it's common for institutions to monitor the network of the user conducting the transaction and, if it's suddenly different (usually in Ohio, now it's in Ukraine), to issue some challenge-response questions, like "What was the first model of car you bought?" or "What was the name of that hot math teacher in 10th grade?"

So two-factor authentication can help impede many identity theft attacks and it puts a burden on attackers to be much quicker and more sophisticated. But it's not a perfect defense by any means and there are certain classes of attacks that it is in a bad position to block.

Does this mean it's useless? I don't think so. If it's an impediment to successful attack then it's a defensive enhancement. I know that if I could use a token on my sensitive logins I'd feel better about them.

And yet it's still an experimental move, at best, for PayPal and the gang. They're afraid of something, and it must be losing customers. They want customers to use online facilities because it's cheaper than having human employees, so they don't want to do anything that will discourage us. They have low expectations of us. But it's coming. Slowly. In my next column I'll examine another development that could facilitate consumer OTP.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack