We’ve only scratched the surface of the products available. The majority are aimed at enterprise-level businesses with existing networked infrastructure using a common LDAP server such as Active Director or OpenLDAP.
For enterprises that do have this infrastructure, adoption of OTP should be a relatively smooth process. The most burdensome aspect would be the actual physical rollout – of either the software or hardware tokens, and the subsequent enrolment of those by the workforce, customers or external partners.
Thankfully the use of self-service web apps can help ease this burden, but will still undoubtedly result in helpdesk calls. There are plenty of mature products available from the highly portable Nordic Edge One Time Password Server 3 to the adaptable Deepnet Security DualShield. At the SME level, negotiating a suitable support and service package is more of a requirement than the feature set included.
For smaller businesses, providing staff and customers with OTP authentication isn’t out of the question. There are whole enterprise-level solutions available at reasonable pricing such as OpenOTP. The greatest issue may be implementing and maintaining the LDAP infrastructure with the right level of support. In this case products like MyPW could play a middleman role for extranets and e-commerce sites.
For single and home users there’s not a lot available in terms of OTP to help enhance personal security, but products like Plurilock PluriID are interesting and can prove quite useful because it supports remote users for single systems.
Without doubt OTP and TFA are going to become more prevalent in the near and long term. While weaknesses do exist in a number of places, a sound implementation greatly reduces the risk over static password systems.
It’s speculated that at the very least, early adopters will see a reduction in security penetrations, if for no other reason than attackers opt for concentrating on the low-hanging static-password-protected fruit. The sooner you move to an OTP system the better.