One-Time Password Issues - Essay Example

Running head: ONE-TIME PASSWORDS One-time passwords Institution Name Date One-time password (OTP) Introduction A one-time password (OTP) is a password that is only recognized for a single login or transaction. OTPs prevent a number of limitations that are related with conventional (static) passwords. The most significant limitation that is tackled by OTPs is that, as opposed to static passwords, they are not susceptible to replay attacks. This implies that, if a potential interloper manages to trace an OTP that was previously used to log into a service or carry out a transaction, he will not be able to misuse it since it will be not be recognized. On the downside, OTPs cannot be memorized by people (Logan, et al, 2010). A one-time password is thus described as a randomly created single-use password. An example is the SonicWALL SSL-VPN One-Time Password. This system is a two-factor authentication scheme that uses one-time passwords to beef up security provided by the normal user name and password for SonicWALL SSL-VPN users. The SonicWALL SSL-VPN One-Time Password scheme compels the users to login the correct SonicWALL SSL-VPN login details. After scrutinizing the standard login checklist the system creates a one-time password which is transferred to the user’s e-mail address. The user must login to their email account to recover the one-time password and type it into the SSL-VPN login screen when requested, before the single use password expires (Logan, et al, 2010). The SonicWALL SSL-VPN One-Time Password scheme offers more security than the regular static password alone. Using a one-time password to beef up the regular login details successfully adds a second level of authentication. Users should be able to login into the stipulated email address before completing the SSL-VPN One-Time Password login procedure. Every one-time password is valid for only one use an expires after a specific period of time, compelling a new one-time password to be created after every successful login, a cancelled or unsuccessful login effort, or a login effort that has timed out, thus minimizing the chances of a one-time password being compromised (Logan, et al, 2010). Type of controls associated with OTPs There are many types of controls associated with one-time password. Some of the controls involved are: Procedural controls This relates to policies and procedures in regard to how people operate at work and how they carry out their own activities. This relates to security of data, passwords, hiring and disciplinary at the work place. Other issues involved in procedure controls are audit, monitoring and adhering to the regulatory requirements as far as security is concerned. Logical and physical controls and staff access cards. All these are concerned with security of information and other possessions just like the one-time password. The one-time passwords are thus controlled with standards and guidelines, PCI compliance, CoBIT and guidance for choosing logical and physical controls (Barkan, 2003). Logical/Technical controls This relates to the use of software and data to manage and control access the information in computer systems. It also entails passwords, means of authentication, Network and Host-based Firewalls, Network Intrusion Detection Systems, Access Control Lists (ACLs), Data Encryption. The term ‘least privilege’ is used to refer to limitation of access rights and authorisation to those just appropriate for the task in question. One-time passwords are concerned with security and particularly restriction of access to minimize risks and vulnerabilities of web servers. Physical controls This relates to the monitoring and control access to computer systems or any other resources in a firm. It also entails separation of functions and also includes support facilitates. It also relates to data centre power, networks, heating and cooling. Access controls Access controls entails issues like identification and authentication and authorization. All these are to some extent related to one-time password. Identification involves confirmation of a claim of who a person is and association or relation with the responsibility and the essential set of rights. Authentication This entails: Proving the assertion of identification Something one is familiar with like PIN, Password and pet’s Name Something in possession – Swipe or Credit Card Something you are – Fingerprint, Eye-print, Voice Single Factor like any of the one described above Multi-Factor- a combination of two or more of these described above Authorisation What the authenticated identify is around to do. Strengths and weaknesses of OTPs One of the major weaknesses of the one-time passwords is that they are susceptible to cracking. One-time passwords are susceptible to public engineering attacks in which phishes access OTPs by tricking clients into revealing one or more OTPs that they have previously used. One-time passwords are susceptible to phishing through two major methods. One way is where the swindler gets the OTP in plaintext fast enough and the other method is where the swindler uses the information got through phishing to predict the password. This latter form of attack can however be prevented through the use of encrypted hash chains. Another weakness of the one-time passwords is that they are also susceptible to third party attacks. This can easily be prevented by not disclosing the passwords to any person. One-time password are however more secure than the memorized passwords since they validity expires once they have been used (Fujita & Mejri, 2006). The one-time passwords are more secure than the memorized passwords since the validity of the password expires once the password has been used and the restricted time expires. Attacks by third parties can be avoided by using the OTP as one layer in layered security. One way of applying the layered security is the use of OTP in combination with the regular password which has been memorized by the user. Description of successful OTPs An example of a successful application of one-time password is the mobile One-Time Passwords by Enterprise-quality SMS provider TynTec in the banking sector. The service which will allow the financial institutions to send to their clients one-time, time restricted passwords to login to essential services such as online banking employs TynTec’s proprietary SMS back-end equipment which ensures security delivery of all messages within 5-15 seconds. Cyber fraudsters, whether using phishing devices, key sorting software, Trojans or other malevolent program, are and have been a threat to the banking industry and particularly the retail banking sector. By offering an extra level of password security, OTP’s provide a new and efficient level of security, giving a level of protection that can not be provided by conventional static passwords. OTPs, a type of the most recently developed security tool is assisting banks in the prevention of cyber frauds. Instead of depending on conventional memorized passwords, OTPs customers apply for passwords every time they are in need of a financial transaction by logging in to the online banking interface. When the application is received the password is transferred to the customer’s phone through an SMS. The password is no longer valid once it has been used and the allowed time has expired. The TynTec OTP solution provides numerous benefits compared to standard SMS systems (Barkan, 2003). The fact that TynTec can provide a unique assurance of delivery within 5-15 seconds complimented by a quantifiable SLA implies that consumers will always receive their passwords in a timely manner (Fujita & Mejri, 2006). Procedural controls in using OTPs The task of implementing procedural controls is the responsibility of the system administrator. The administrator ensures that the users have a FreeBSD account and a password before they access the FreeBSD system. One of the key responsibilities of the system administrator is to set an appropriate password policy for both the users as well as the network. This is an important task in the creation of appropriate procedural controls in the application of OTPs. Some of the points to consider include the setting of minimum length of password and the nature of the passwords. Audit and logging checks for OTPs One of the most appropriate methods of providing logging checks for the OTPs is through the use of port-knocking. Port- refers to the method of sending a shared secret from a random host to another, usually a secure host. This shared secret is usually a short sequence of connect (2) calls to a string of ports at which point the firewall is enabled to the sending server. Since this system is susceptible to attacks some port-knocking systems which employ the cryptography apply their source IP to safeguard themselves from threats. The application of port-knocking systems entails restricting the access to important resources by applying the port-knocking system as the security measure and those darned replay attacks can be blocked via cryptographic techniques. The audits for the passwords entail checking whether the passwords meet the minimum requirements set by the responsible system administrator (Barkan, 2003). Cracking OTPs and checking the risks In order to prevent cracking of OTP passwords, the generation of passwords and password policies must be very creative. The passwords should have at least one non-letter character and should not be the user’s username or repeated. The users should be aware of the policy applied in the selection of the passwords and the system should be customized in such a way that it does not generate poor passwords which are susceptible to cracking. After the password has been used or before it is used, it should not be stored in the FreeBSD system. Instead an encrypted format should be used (Fujita & Mejri, 2006). Conclusion One-time passwords are the most secured measure to use in the protection of information as well as safeguarding cash from swindlers in the world today. The one-time passwords are more secure than the memorized passwords since the validity of the password expires once the password has been used and the restricted time expires. For maximum security the OTP details should not be disclosed to third parties. References Barkan, E. Et al. (2003). "Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication". New York: IOS Press Fujita, H. & Mejri, M. (2006). New trends in software methodologies, tools and techniques: proceedings of the fifth SoMeT 06. New York: IOS Press Logan, M. et al. (2010). Erlang and OTP in Action. London: Manning Publications Read More