Tuesday, March 25, 2008

Part 1: Two-Factor Authentication?!?

Recently, I was reading an article on One Time Passwords in an IT security magazine called hakin9, entitled "One Time Passwords - New Dimensions in Security". Details of the magazine can be found at http://hakin9.org/. I decided to share some the contents in the article and example of what two factor authentication is about in Singapore context. This will be a simple two parts about two factor authentication.

As most Singaporeans may have experienced by now with Internet banking, there's a secure device that displays a 6 digit numbers that is required each time you logon for Internet banking. An example will be the DBS iB secure device as shown in the picture (compliments of DBS). This will be an example of a two factor authentication where it requires both a password/PIN by the user and the unique 6 digit numbers shown on the DBS iB secure device. I will now share a bit further into the technology behind this simple act of login for Internet banking and how it adds another layer of security for people.

Traditionally, a static password and the username have been used to access resources available. This is no longer sufficient in today's environment and has led to better authentication methods for both online and offline resources. Thus, One Time Password (OTP) technology was used to generate and display a unique password which is only valid for a while was added for authentication. Verification of user credentials and access to resources are done in a safe, simple and efficient way using OTP technology.

The idea of OTP is the brainchild of Leslie Lamport. There are basically two main types of one-time passwords now: the first type is based on time-synchronization between the authentication server and the client providing the password, and a second type where the new password is based on a challenge (e.g. a random number chosen by the authentication server or transaction details) and a counter instead of being based on the previous password.

For the next part, I will show examples of OTP products and their suppliers with an example of the process in OTP generation.

References:
hakin9 Issue2/2008 "One Time Passwords - New Dimensions in Security" by Rajesh Mago
http://en.wikipedia.org/wiki/One-time_password

2 comments:

w01f said...

Two-factor Authentication in a easier term = It is to authenticate (allow access) using any 2 of the factors (methods) below:
- What you know? (e.g Password, PIN)
- What you have? (e.g Token, Access Card, Mobile phone)
- What you are? (e.g Fingerprint, Retinal)

The above article is talking abt using Token - "What you have?" that produced OTP, together with Password/PIN - "What you know?" to access the Internet banking website.

Rajesh Mago said...

Hi,

Good to see that you have referred to my article on OTP, published in Hakin9.

Your blog is good - informative and nicely setup.

Keep writing,

All the best,

Regards,

Rajesh Mago