One-time Password: Pros and Cons

Any Mission Impossible or James Bond fans out there? Just about every movie in those two franchises deals with the protection of secure data. It kind of comes with the territory. With the evolution of each film comes the evolution of ways to protect data, as well as new, ingenious methods of getting around those security methods. It’s a vicious cycle that Hollywood depicts almost perfectly: a new security method comes into place, and someone turns around and breaks through, making whichever company that was breached require a newer, stronger method of protection. In Mission Impossible: Ghost Protocol, they show a futuristic form of facial recognition in a contact lens. Of course, this tech is still not common, but biometrics of this sort isn’t exactly new. As a matter of fact, biometrics are just one form of a one-time password; an authentication option that is continually growing in popularity.

Like anything else, there are both pros and cons to not only implementing a one time password solution, but also to the various one time password solutions themselves. Today we are going to look at some of the various types of OTPs available, and which ones stand out amongst the crowd.

One-Time Password: The Variable Choice

Hard Tokens

RSA SecurID

RSA’s well-established hard token provides a wide range of OTP Services with the same token.

PROS:

• Widely available, easy to adopt.
• Customizable use.
• Provides OTP, Encryption, and Email signing.

CONS:

• Multiple uses means multiple lockouts if ever lost or stolen.
• Only runs with RSA Infrastructure installed.

YubiKey

Yuibco’s hard token emulates a usb keyboard and both generates and submits a unique OTP.

PROS:

• Lower cost than other Hard Tokens
• No Batteries required
• Simple push button interface
• OTP is unique to each key, and every generation is unique from any other.

CONS:

• Still a cost associated with them.
• Replacement Fees.
• Limited range of services that can sync with YubiKey.

HMAC-Based OTP Tokens

A hard token that uses a counter that increases incrementally with each use.

PROS:

• Easily adaptable into multiple systems.
• No timeout worries.

CONS:

• Cost associated with Hard Tokens.
• Replacement fees.

Printed OTPs

In case users do not have cell phone access, or are unwilling (or unable) to adopt other hard tokens, printed OTP’s allow users to print a list of OTPs and use them as a fall back.

PROS:

• Great fall back when other methods are not an option.
• Simple, long lasting.
• No timeouts.

CONS:

• Requires printer access.
• OTP printouts can be easily misplaced or lost.
• Easily accessible to outsiders if not protected accurately.

Soft Tokens

Mobile Authenticator

Mobile phones are being used in business for an increasingly large amount of tasks. Using a mobile authenticator, such as Google Authenticator or the PortalGuard Password Reset App to generate a one-time password is simple, easy to use solution.

PROS:

• No Cost; Both Google Authenticator and PortalGuard Password Reset are freely available on mobile app stores. (PortalGuard is iTunes only, with Android coming soon!)
• Does not require a cell phone signal to use.
• Easy to use and accessible to majority of modern employees who carry their phones with them at all times.

CONS:

• Cannot be batch imported by system administrators
• Only one mobile app can be enrolled at a time per user
• Subject to cell phone loss

Tokenless

PassiveKey

PortalGuard provides a solution to transparently authenticate a user without having to manually enter OTPs. PassiveKey also removes additional expenses and management overhead traditionally associated with hardware tokens.

PROS:

• Provides the Security of Two-Factor Authentication (2FA) without negatively impacting employees.
• PassiveKey automatically submits a Time-based one-time password to the server upon logging in through a web browser.
• Usable with Virtual Machine by association with a hotkey.

CONS:

• Requires client side installation of the application.
• Only applicable for single machine interfaces.

Helpdesk generated OTP

Defers the OTP generation process to the network Helpdesk

PROS:

• Provides an extra safety net option if others fail.
• Helpdesk employees can verify user themselves before generating the OTP

CONS:

• Directly relies on Helpdesk and employees.
• Privy to human error

Voice Calling

Voice calling for an OTP is the notion of using an existing landline or cell phone to receive an automated voice iteration of a one-time password code.

PROS:

• Most voice calling OTP methods leverage existing phone infrastructures.
• Typically uses a hosted text-to-speech service.
• Avoids security issues inherent in person to person transferal of sensitive data; the shared secret stays between the end-user and the server.

CONS:

• Requires an already established, dedicated landline to function.
• If using with a cell phone, signal and battery life are a must for adequate performance.
• Often, using a hosted text-to-speech service incurs cost per-use.

SMS Text Messaging

By using an SMS text messaging system for OTP delivery, an employee can leverage their cell phone easily to receive and view the OTP.

PROS:

• No additional hardware or infrastructure is required to leverage this delivery method.
• Companies can often make use of telephone companies’ existing SMTP-to-SMS gateways.
• Quick Delivery if using 3^rd Party Messaging providers.

CONS:

• Requires a reliable cell phone signal and battery life.
• May result in occasional SMS delivery failures
• Use of 3^rd Party Messaging providers often incurs a per text charge

Email

Using e-mail delivery as an OTP method is an option of security is something that may be sacrificed for usability. If an e-mail account is enrolled alongside a user account, OTPs may be sent to that address for use in verification.

PROS:

• Cost Effective.
• Simple to use
• Provides Easy Access to OTP without risking Timeouts

CONS:

• Less secure than other OTP or Two-Factor Authentication methods.
• Depends on consistent access to e-mail account without being logged in to the server

As you can imagine: there are plenty of options for any situation or compliance requirements. With the increase in mobile technology in the past few years, mobile authentication is quickly becoming the easiest way to enable two-factor authentication and one-time password benefits. For users who want complete control over authentication methods, and would like to leverage multiple protocols within a single environment, PortalGuard stands out above the rest. With PortalGuard, customization by user or user group is simple and easy to maintain with support from a team of experienced experts. When you can have everything wrapped up in a nice little package, why settle for less?