[Next] [Up] [Previous]
Next: Network Authentication: Kerberos Up: Access Control and Previous: Tokens and Badges

One-time passwords

  In order to combat the problems of sharing and eavesdropping on passwords, one can employ a method known as ``one-time'' passwords. The idea here is that each time a user authenticates themselves to the system, they supply a different password. This new password generally needs to be computed for them by software or hardware that they carry with them. a challenge-response device There are a variety of methods for doing so, including a variety of software and/or hardware tokens. They generally fall into two categories: a challenge/response system or a time-based algorithm. In the challenge/response system, a challenge is issued by the system, which is then used to compute the appropriate response. The response can be computed via a token, an automatic program, or a piece of user software. The only time-based algorithm that I am aware of is called SecurID, and is marketed by Security Dynamics. In such a system, the user carries a special token that displays the correct response of the moment. There are several such tokens sold, and one requires a PIN to be entered into the device before it displays the correct response. The time-based system carries the advantage that the user is not required to handle a challenge, but carries the disadvantage that it may be vulnerable to replay attacks for a short time period unless properly implemented. It is also a proprietary technology that limits the interoperability, choice of tokens, and administrative tools.
Kevin S. McCurley
Sat Mar 11 16:00:15 MST 1995