Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Check out Safer Authentication with a One-Time Password Solution in the May 2008 issue of MSDN Magazine. That’s my fourth article for that publication and as always I’m proud to be part of it!

There’s something I should have clarified in my discussion of the two main OTP-generation alternatives, counter-based versus time-based.

Regarding time-based, a given OTP value expires within a certain time delta of when it was generated. The tradeoff is that the client and server must be carefully synchronized, although the technology to accomplish this is more reliable than it used to be.

Regarding counter-based, there’s no need for time synchronization, which simplifies things. However, there’s again a tradeoff: in a counter-based solution, it’s possible for a user to generate a sequence of OTP values in advance. The values could then be written down and given to another user, for example. As long as the values are all used in sequence, they’re all valid until used.

With time-based synchronization, the same attack isn’t possible, assuming the client token is tamper-resistant and you can’t trick it into advancing its clock.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment