Review: One time password generators

We all know that administering the human factor in network security is a balancing act. On the one hand you do need to enforce policies to minimise basic weaknesses, especially lazy passwords (such as the ubiquitous “password”). On the other hand, you also need to manage the administrative impact of rigid policies - how many times can one person get it wrong! Lost and forgotten passwords all require someone or something to restore and reissue the password to the user. In most cases this involves phoning the helpdesk or cornering the office administrator. Invariably you’ll have to wait because they are already busy resetting the director’s password for the umpteenth time.

Reissuing passwords is the systemic weak point in traditional single-password authentication systems. Often new passwords are simply emailed to the user’s account, which could also be compromised. Many systems add an additional password challenge - a secret question, but these can be fairly easily navigated. Your date of birth, hometown or mother’s maiden name are easily discoverable, researchable, or socially engineer-able questions.

PASS THE WORD

One-time password (OTP) security solutions are rapidly growing in popularity as we move towards larger and larger amounts of valuable ‘stuff’ online. International corporations such as Google and Facebook both have recently rolled out OTP options for their users. Blizzard now provides an OTP option for its vastly successful World of Warcraft online game, and from the financial sector, HSBC has deployed OTP devices to its customers for their online accounts.

Technically, OTPs are a subset of two-factor authentication (TFA) options, which require two different forms of authentication: generally something you have (an OTP device), and something you are (biometric check) or something you know (password).

A one-time password solution uses either a time-based or algorithmically generated number that’s used once by the user and discarded. The method used by the cryptographic algorithm varies depending on implementation, but there are three main approaches: a time-based code, a pseudo-random number generated from a set key, or a code produced via a random-number challenge from the authentication server.

All of these approaches ultimately require a delivery method/device so that the user can read, then enter the OTP into the authentication system. We won’t attempt to cover all of the solutions that have been created for this, but it is worth outlining the most common options.

One such solution involves a secure hardware token-display, as used by HSBC and other banks. These can return codes for any of the options above. The code returned is then entered into the log-in system. Often a keypad is used to enter a user-defined lock code or a code delivered as part of the authentication system.

For businesses where the workforce is potentially at risk, options exist to include a “distress” code instead of the OTP. So if the user is being forcibly coerced into accessing the OTP-protected system, the “distress” code can be used, limited access is still granted, and an alarm raised.

PHONING IT IN

At the moment, a popular option makes use of mobile phones, providing a range of delivery options, including SMS text messages, a dedicated app, instant messages, simple email or push delivery. Modern smartphones provide a convenient and flexible way of distributing OTPs that are already embraced by most users. This reduces cost because no new devices are required and delivery is done over existing transports. However, there are also issues associated with this system that are worth noting.

Users will need to have ready access to their phone, and a phone signal will need to be available for a live delivery. Additionally, there can be delays and interruptions to SMS and data services, and both text messages and standard emails are unencrypted so create a means of attacking the system.

Push technology is supported by most smartphone platforms can help alleviate delays. An OTP can be pushed in real time to the phone after a challenge has been made.

An alternative approach uses a dedicated phone app that generates the OTP using the phone’s processor and is stored locally. The associated problem here is that support is required for each different type of phone used, so ultimately it could be easier to deploy a dedicated device.

Other options you’ll see popping up include web-delivered OTP – with some solutions offering options, such as selecting a picture as part of a two-factor authentication. Others include simple printed paper cards, much like business cards. These provide numbers in a grid or list so, when logging on, the user is prompted to enter a code corresponding to a specific grid location. This seemingly low-tech approach provides a number of simple advantages that have won over a number of banks. The lower cost of deployment and flexibility in how grids can be issued are great advantages. Customers can pick cards up from a local branch or print out their own. They’re cheap, easy and fast to replace, and it’s also possible to replace the password element with a smartcard, USB key or other proprietary token (acting more as a two-factor authentication (TFA) than an OTP delivery system).

DON’T LOWER YOUR GUARD

As always, in the world of security, implementation of an OTP system does not mean security is addressed. Undoubtedly, an OTP system will enhance your security but it’s still possible to envisage scenarios where malware can intercept the OTP after it has been requested. It’s also possible for attackers to increase the amount of time available to them using basic social engineering such as phoning the victim in the middle of logging on.

If log-on details are already known to attackers, they can simply steal the device used to deliver the OTP or alternatively, a man-in-the-middle ruse can fool a user into divulging the OTP to an attacker posing as an administrator.

OTPs do significantly increase the complexity for the hijackers, providing only a narrow window of opportunity, but if the target is tempting enough there’s no reason to dismiss the possibility.

In this review we look at a range of OTP solutions, from low-cost, single-system, single-user solutions all the way up to full enterprise-level systems that can handle over a million users.

In between, there are a few other interesting alternatives such as OTP cloud-based services, hobbyist-style implementations and low-cost, server-based deployments. There really is a one-time password system out there to suit everyone’s needs.

Page Break

Targeting the enterprise with a multi-factor authentication solution, Deepnet Security’s DualShield embraces the OTP paradigm. At its heart, DualShield is an adaptable server-based solution supporting Microsoft Windows Server and Linux operating systems.

For developers, it includes native support for Active Directory and OpenLDAP, so changes made will automatically pass through to DualShield. It also features a comprehensive self-service web portal to help minimise helpdesk calls - issuing emergency keys, requesting replacement keys and on-demand keys. This makes for a user-friendly solution that’s easy to integrate into existing infrastructure.

Deepnet’s DualShield has a really great selection of user authentication methods. It embraces all of the standard OTP options such as device-generated smartphone soft tokens, USB drive-stored tokens, hard tokens, ID card and on-demand OTPs. Beyond these it offers two-factor authentication alternatives such as digital-device fingerprints, biometrics such as voice, keystroke and facial recognition, and Public key infrastructure (PKI) digital certificates.

Mobile phone platforms are also supported, including Windows Mobile, iPhone, BlackBerry and Java-enabled models, while PC support includes Windows XP, Vista and 7. On-demand authentication can extend support to more mobile devices via DualShield’s Mobile T-Pass OTP, which pushes passwords via SMS texts, voice, Twitter and email. Device-less authentication is possible via a GridID system that provides users with credit-card sized printed code cards.

DualShield is designed to authenticate the most common solutions right out of the box. With its extended RADIUS server support, authentication for a wide range of VPNs means an unchanged end-user experience. DualShield integrates directly into Windows Network Domain Logon, Remote Desktop and Terminal Server. Support is also extended to Linux distributions that support the Pluggable Authentication Module (PAM) for SSH logins. Similarly, Microsoft Outlook Web Interface, Anywhere and Exchange ActiveSync can all be protected.

For outward-facing applications, authentication for web enables protection of e-commerce sites and controlled access to secure areas of extranets. Deepnet includes an SDK and API to enable third-party developers to integrate custom web apps for use with the enterprise-managed two-factor authentication system. The list of supported attributes and features provided by DualShield goes on and on, it’s one of the most comprehensive solutions looked at here.

Page Break

Sold as an affordable online service MyPW delivers OTP authentication using a simple, secure API that’s suited to a range of solutions for desktops, web applications, consumers and general service providers.

MyPW is an intriguing proposition. It provides a range of services and importantly pricing schemes that attempt to suit everyone, from small businesses to enterprise-level corporations. Effectively, MyPW has two packages - one is a hosted-service, while the other is aimed at enterprises. Each is priced accordingly.

For the smaller business, MyPW hosted-service eliminates many financial and administrative headaches. This model is really quite innovative, it eliminates upfront purchase or contract cost for cash flow sensitive small businesses. MyPW charges on a per-person basis, so it’s feasible to deploy it to a test group without major disruption or financial impact.

MyPW provides an API and website to manage the OTP authentication system, delivering basic access and account information. Supported mobile devices include BlackBerry, iPhone and Android smartphones. Authentication also works with RADIUS servers, and it’s possible to secure SSH logins for Linux desktops with an OTP via a supplied PAM.

At the enterprise level, MyPW can provide hardware tokens based on either RSA SecureID or CryptoCard. Beyond hardware tokens and server costs, additional charges ($9.95 per user) for token activation and $1 per month per user are collected.

The MyPW servers provide final authentication, so while this solution eliminates deployment costs and remains platform agnostic, it does lose some control, which might be uncomfortable for some enterprises.

Page Break

Billed as a platform-independent, two-factor authentication system, Nordic Edge One Time Password Server 3 (OTPS3) brings OTP protection to web, VPN and cloud-based services.

It’s designed to scale from small business up to full-enterprise deployment and runs on most operating systems, supports most remote access systems and integrates with common user stores. Key to its flexibility is running on a Java Virtual Machine, so as long as JVM exists for the required operating system, it’ll be capable of running OTPS3.

OTPS3 is highly flexible. There is a multitude of ways that OTPs can be generated and dispatched. They can be sent via SMS, email or generated on the local user’s desktop or mobile device using Pledge ( OTPS3’s authentication application). Key enrolment is automated for Pledge, so this eliminates administrator involvement and streamlines the rollout to your workforce.

Support is also offered for Open Authentication (OATH) compatible OTP tokens, and pre-generated OTPs can also be printed, emailed or sent via SMS and instant message.

Helping deployment, OTPS3 supports a wide range of LDAP systems including Active Directory, eDirectory and OpenLDAP, as well as major SQL variants. There’s even more flexibility here because it happily cross-accesses multiple databases and reuses existing ones - so it automatically stays concurrent.

Comprehensive RADIUS support is included, so authentication can be extended to your VPN infrastructure and other RADISU-aware devices. . Flexibility is built-in, so it’s ready to support Java, PHP and .Net applications, and has ready-made integrations for most remote access products including VPNs, web servers and thin clients. It’ll even happily work alongside existing tokens such as RSA SecureID, helping to make any migration as smooth as possible.

OTPS3 is a really mature product having been deployed for more than a decade. Nordic Edge claim it can comfortably scale from one to over one-million users, and that by using the step-by-step guide, it can be installed in an hour. An added advantage is that it is a highly portable product.

Page Break

A serious question for smaller businesses including security-conscience SOHOs, is what’s good for me?
OpenOTP bring an enterprise-grade solution - one that’s free for deployments to 25 or fewer users. It’s an interesting business model that works on a try-before-you-buy basis, effectively capturing a business as they’re initially growing.

Despite the low cost, this really is a true enterprise-level solution. It provides secure and reliable user authentication to online services, intranet/extranet access and secure internet transactions. Its wide-ranging support for software tokens enables J2ME, Windows Mobile, iOS devices, Android and BlackBerry support, plus YubiKey alongside SMS text and email delivery. It also supports a wide range of OATH/HOTP hardware tokens and printed  code cards.

OpenOTP can be deployed to a wide-range of Linux distributions on either a dedicated or virtual server. Support is listed to any distribution based on Glic v2.4 or later, but specifically Redhat Enterprice 5.x, Novell SuSE, Unbuntu Server and Centos 5.x. To help smooth deployment it’s connects to most LDAP databases, including Microsoft Active Directory, OpenLDAP and Novell eDirectory. Management of groups and policies is done through its WebADM management console, helping you to easily manage each of the various security applications, authentication policies, LDAP users, groups and domains. RADIUS support is also provided for easy integration to your VPN and any other compatible RADIUS devices.

End-user web apps are included - users can self-administer their tokens via a self-service desk and self-registration system. These can be rolled out to your secure intranet or extranet, helping to further simplify deployment. Online demos and downloads are available so it’s a great one to try out and test in your own time.

Page Break

Developed by Steve Gibson, creator of well-known ShieldsUp firewall test, Perfect Paper Passwords (also known simply as PPP) is a good example of how an OTP system doesn’t need to be costly. Available as freeware from www.grc.com/ppp.htm this paper-based OTP system has been developed for Windows, Mac OS X, Linux and Java-enabled smartphones, using a mix of open source and freeware offerings.

PPP provides the user with a printed credit card-sized grid of four-character passcodes, created from a 64-character alphabet. Using this system, a population of almost 17 million passcodes can be generated in an unpredictable sequence. It’s possible to adapt all of these variables, so longer passwords can be used, larger or smaller printed cards can be created, and a larger 88-character alphabet or entirely-custom alphabet can be used.

This is not a commercial system, so PPP offers little in the way of support. It requires an entirely manual deployment and additional components have been created by third-parties to support feature such as smartphone java-based apps, Microsoft.Net support, terminal support and even PHP. This does carry the additional advantage that once a system is working it doesn’t require support or resources from other suppliers.

The most basic package includes a Windows DLL, command-line executable and template HTML files. The site offers detailed documentation on how the cryptography works and offers basic advice on implementing the system in the real-world. It would probably take some time to effectively integrate PPP into a system, but it does include everything needed to deploy OTP to protect a remote login. A number of third-party implementations extend this to Mac OS and Linux terminal sessions. It’s also possible to electronically deliver passcodes in various formats, or have them generated directly on a suitable Java-capable device such as a smartphone.

Perfect Paper Passwords is an interesting and entirely secure OTP project. It would be suitable for hobbyists, SOHO, and even small-business operations if a member of the team has programming-level knowledge.

Page Break

Solutions in the OTP arena are typically aimed at SMB and enterprise customers. When it comes to personal security or security that doesn’t require connected authentication, there are dedicated products available based around stand-alone hardware-token systems. One such solution is PluriID that touts strong protection to individuals and organisations that want to prevent unauthorised users from gaining access to their laptops or PCs. This product is ideal for individuals or small businesses that simply don’t have the resources to implement a server-based authentication OTP system.

Aligned with a standard Windows login, the Purlilock Workstation Protection Suite accepts standard Windows username and password, but also requires an OTP token generated from PluriID. This works for local and remote authentications and supports Windows XP, Vista and 7.

PluriID does seem ideal for professionals or small businesses that have limited financial resources to invest in integrated security solutions. Users have the ability to control token settings such as tolerance from the desktop.

In the event the token is lost or stolen, users are able to access their computer by entering a master key (a unique access code for each PluriID token) which, interestingly, could make the entire system redundant from a security point of view. But, it’s also relatively useless without encryption to back it up. It’s otherwise trivial to gain access to the data stored on the drive with or without the login details or the OTP hardware token. That said, as simple way of implementing OTP for personal use - it’s a workable solution. It will effectively block, for example, someone attempting to log onto a laptop after attempting to copy any password key strokes. At $35 it’s very reasonably priced for a business security solution.

Page Break

SafeNet’s enterprise-level solution MObilePASS makes use of a wide-range of mobile devices and desktop systems to present quite a flexible option. This is a software-based authentication system that uses software running on a smartphone, Windows or Mac laptops, or desktops to generate a one-time password. This makes it a good choice if you have a highly mobile workforce and need to offer external partners secure access to your network, or want to provide secure log-ins for customers.
Client devices supported include the Windows and Mac operating systems, while support is provided for iPhone, BlackBerry, Windows Phone 7, Windows Mobile, Java 2ME, and Android mobile devices, as well as via standard SMS message.

At its heart MobilePASS runs on either the SafeNET Authentication Manager or its SafeWord 2008 server products. Both require Microsoft Windows Server 2003 or 2008. It supports Active Directory for simplified deployment. SafeWord 2008 is specifically designed with OTP in mind and extends secure access to cloud-based services such as Google Apps, Outlook Webmail and remote access to VPNs.

Protection can be extended to cover Windows Domain login, Terminal Services and Remote Desktop with an additional Enterprise Solution Pack. This also supplements your helpdesk by introducing a web-based user centre that can save significant amounts of time and money enabling users to administer these elements themself. From any browser, without a call to the helpdesk or system administrator, users can enrol themselves and their tokens, reset their own PINs, and test their tokens for correct operation.

With its reliance on Microsoft Active Directory and Windows Server, SafeNet MobilePASS with SafeWord 2008 server provides an efficient and straightforward OTP authentication system, which can be easily offered to customers and partners via their own mobile devices or PCs. It provides your workforce with an easy way of accessing VPNs and cloud services in a secure OTP system. Pricing starts at $99 per user with a minimum licence for five users and includes SafeWord 2008, MobilePASS and the required tokens.

Page Break

We’ve only scratched the surface of the products available. The majority are aimed at enterprise-level businesses with existing networked infrastructure using a common LDAP server such as Active Director or OpenLDAP.

For enterprises that do have this infrastructure, adoption of OTP should be a relatively smooth process. The most burdensome aspect would be the actual physical rollout – of either the software or hardware tokens, and the subsequent enrolment of those by the workforce, customers or external partners.

Thankfully the use of self-service web apps can help ease this burden, but will still undoubtedly result in helpdesk calls. There are plenty of mature products available from the highly portable Nordic Edge One Time Password Server 3 to the adaptable Deepnet Security DualShield. At the SME level, negotiating a suitable support and service package is more of a requirement than the feature set included.

For smaller businesses, providing staff and customers with OTP authentication isn’t out of the question. There are whole enterprise-level solutions available at reasonable pricing such as OpenOTP. The greatest issue may be implementing and maintaining the LDAP infrastructure with the right level of support. In this case products like MyPW could play a middleman role for extranets and e-commerce sites.

For single and home users there’s not a lot available in terms of OTP to help enhance personal security, but products like Plurilock PluriID are interesting and can prove quite useful because it supports remote users for single systems.

Without doubt OTP and TFA are going to become more prevalent in the near and long term. While weaknesses do exist in a number of places, a sound implementation greatly reduces the risk over static password systems.

It’s speculated that at the very least, early adopters will see a reduction in security penetrations, if for no other reason than attackers opt for concentrating on the low-hanging static-password-protected fruit. The sooner you move to an OTP system the better.