One-Time Password

A one-time password is a set of characters that can be used to prove a subject’s
identity one time and one time only. After the password is used, it is destroyed
and no longer acceptable for authentication. If the password were obtained by
an attacker as it was being transmitted, she would have a small window of time
to try and use it and most likely it was already used once, thus it is useless to the
attacker. This greatly reduces the vulnerability of someone sniffing network
traffic, obtaining a password, and being able to successfully authenticate as an
actual legitimate user.
One-time passwords are usually generated and supplied to the user via a
handheld device with an LCD display, referred to astoken device. The user reads
the password provided by the token device and enters it, along with a username,
into a system for authentication purposes. The password is good for only that
session and when the user needs to authenticate again, another password is dynamically created. Token devices, also referred to as one-time password generators, are either synchronous or asynchronous.
Synchronous token devices are synchronized with an authentication service
via clocking mechanism or by events. When a clocking mechanism is used, the
token device and authenticating service agree upon a timing scheme. The token
device presents encrypted time values to users, and they enter these values along
with their usernames into their workstations, as shown in Figure 2-2. This credential set is sent to the authentication service. Because the token device and authentication service are synchronized, the authentication service is expecting a
specific value to be submitted as the password. If the correct value is submitted,
and it correlates with the given username, the user is successfully authenticated.
When events are used to establish authentication, the user is usually required to initiate the logon process, which tells the token device and authentication system to increment the one-time values. The token device and
authentication system share the same list of values to be used for one-time
passwords; the token device encrypts and presents the next value in the list to
the user, which she enters as her password.
Asynchronous token devices use a challenge-response method to create
one-time passwords. The authentication service sends the user a value, which he enters into his token device. The token device modifies this value, through encryption or a hashing process, and presents the new value to the user. The user
then enters this new value as his password to authenticate to the authentication
service. If this set of characters is the same that the authentication service originally sent to the user, the user is properly authenticated.
Token devices protect against password guessing, replay attacks, and electronic eavesdropping, but can be exposed to masquerading attacks, where an attacker gains control of the token device and uses it to impersonate the valid user.
This is why many token devices require the user to enter a proper PIN value before it can be used. If a user has to provide a PIN and uses the token device for
authentication, this is a two-factor authentication process.