May 27, 2009

Two Factor Authentication with OTP

What is Two factor authentication?

“Something you have, and something you know.”

Two Factor authentication has become a standard when non-repudiation or higher assurance
is needed to protect an asset. The premise behind it is easy; prove that you are who
you say you are. The idea is as old as the credit card (itself a two factor device);
combine a physical device with a username or pass code.

OTP [One Time Passcode] solutions for Two Factor dominate the industry and are usually
referred to as Tokens.

How Does Two Factor OTP work?

A “Seed” is used to get the server and token in sync. The OTP is generated using several
factors such as time, crypt althorithm and the seed to generate the OTP. As the name
applies, the postcode is designed to be used “one time” and usually is configured
to expire shortly after its been generated.

Types of Two Factor OTP:

Depending on your need, several options exist for deploying Two Factor OTP.

Hard Tokens: A physical device with battery.These can come in many
forms: USB based, Display only, or Display with Pin PAD.Note: The latest invotations
with Tokens included credit card hard tokens.

Software Tokens: Same as hard tokens but innstead of a battery, its
software that is installed on the PC, Laptop or Smart Phone. Several environmental
factors such as the computer bios clock and network time are used in addition to the
seed to keep the OTP in sync with the server.

On Demand OTP: SMS/EMAIL. Directory profile information about the
users cell phone or email address is used to deliver the OTP.

Scratch Card: Unique to Entrust, the user has a scratch card that
has a bingo style grid on it. The server challenges an OTP much like bingo – A5, B7,
C9, D8. You have to have the scratch card to figure out what the OTP challenge is
from the server.

OTP Considerations:

Pros: What are the advantages of Two Factor OTP for strong

  • Easy to setup.
  • Very mature technology. Most vendors include self service.
  • Universally supported across most technologies. Usually integrated with Radius but
    most vendors provide out of the box support with popular access platforms like Siteminder
    or CoreID.

Cons: OTP is not perfect. What are some of the issues with deploying
Two Factor OTP?

  • Can be somewhat difficult to scale- logistically. Although there are a lot of options
    available, a lot of questions must be answered prior to deployment.

How do you deliver the tokens?

What happens when a user loses a token?

What if they are traveling and they lose a token?

What sort of permissions do they need to install a soft token?

Do I have accurate employee info in a directory to use SMS or email Tokens?

How do I prevent someone from changing them

  • High costs to scale – especially hard tokens. Hard tokens can range from $5-$70 bucks
    a user. Not bad at a 100 but at 10,00. Also consider that hard tokens do have a battery
    and therefore a shelf like of 5-7 years

Future: Look to the clouds. Several vendors like Verisign (See VIP
Network) are starting to offer cloud based authentication services to allow for cross
domain trust.

Presumably these type of services will be a platform to offer additional services
like risk based authentication or integration with identity provider frameworks like
OpenID, or Federation.


  • RSA – SecureID with Authentication Manager
  • Activ Identity
  • Entrust – Identity Gaurd Mini Token, Scratch Cards
  • Verisign – Unified Authentication