Blog Home > Authentication Security > One-time Password: Pros and Cons

One-time Password: Pros and Cons

| 13 Comments

 

One-time passwords

Any Mission Impossible or James Bond fans out there? Just about every movie in those two franchises deals with the protection of secure data. It kind of comes with the territory. With the evolution of each film comes the evolution of ways to protect data, as well as new, ingenious methods of getting around those security methods. It’s a vicious cycle that Hollywood depicts almost perfectly: a new security method comes into place, and someone turns around and breaks through, making whichever company that was breached require a newer, stronger method of protection. In Mission Impossible: Ghost Protocol, they show a futuristic form of facial recognition in a contact lens. Of course, this tech is still not common, but biometrics of this sort isn’t exactly new. As a matter of fact, biometrics are just one form of a one-time password; an authentication option that is continually growing in popularity.

 

Like anything else, there are both pros and cons to not only implementing a one time password solution, but also to the various one time password solutions themselves. Today we are going to look at some of the various types of OTPs available, and which ones stand out amongst the crowd.

One-Time Password: The Variable Choice

 

Hard Tokens

 

RSA SecurID

RSA’s well-established hard token provides a wide range of OTP Services with the same token.

PROS:
  • Widely available, easy to adopt.
  • Customizable use.
  • Provides OTP, Encryption, and Email signing.
CONS:
  • Multiple uses means multiple lockouts if ever lost or stolen.
  • Only runs with RSA Infrastructure installed.

 

YubiKey

 

Yuibco’s hard token emulates a usb keyboard and both generates and submits a unique OTP.

PROS:
  • Lower cost than other Hard Tokens
  • No Batteries required
  • Simple push button interface
  • OTP is unique to each key, and every generation is unique from any other.
CONS:
  • Still a cost associated with them.
  • Replacement Fees.
  • Limited range of services that can sync with YubiKey.

 

HMAC-Based OTP Tokens

 

A hard token that uses a counter that increases incrementally with each use.

PROS:
  • Easily adaptable into multiple systems.
  • No timeout worries.
CONS:
  • Cost associated with Hard Tokens.
  • Replacement fees.

 

Printed OTPs

 

In case users do not have cell phone access, or are unwilling (or unable) to adopt other hard tokens, printed OTP’s allow users to print a list of OTPs and use them as a fall back.

PROS:
  • Great fall back when other methods are not an option.
  • Simple, long lasting.
  • No timeouts.
CONS:
  • Requires printer access.
  • OTP printouts can be easily misplaced or lost.
  • Easily accessible to outsiders if not protected accurately.

 

Soft Tokens

 

Mobile Authenticator

 

Mobile phones are being used in business for an increasingly large amount of tasks. Using a mobile authenticator, such as Google Authenticator or the PortalGuard Password Reset App to generate a one-time password is simple, easy to use solution.

PROS:
  • No Cost; Both Google Authenticator and PortalGuard Password Reset are freely available on mobile app stores. (PortalGuard is iTunes only, with Android coming soon!)
  • Does not require a cell phone signal to use.
  • Easy to use and accessible to majority of modern employees who carry their phones with them at all times.
CONS:
  • Cannot be batch imported by system administrators
  • Only one mobile app can be enrolled at a time per user
  • Subject to cell phone loss

 

Tokenless

 

PassiveKey

 

PortalGuard provides a solution to transparently authenticate a user without having to manually enter OTPs. PassiveKey also removes additional expenses and management overhead traditionally associated with hardware tokens.

PROS:
  • Provides the Security of Two-Factor Authentication (2FA) without negatively impacting employees.
  • PassiveKey automatically submits a Time-based one-time password to the server upon logging in through a web browser.
  • Usable with Virtual Machine by association with a hotkey.
CONS:
  • Requires client side installation of the application.
  • Only applicable for single machine interfaces.

 

Helpdesk generated OTP

 

Defers the OTP generation process to the network Helpdesk

PROS:
  • Provides an extra safety net option if others fail.
  • Helpdesk employees can verify user themselves before generating the OTP
CONS:
  • Directly relies on Helpdesk and employees.
  • Privy to human error

 

Voice Calling

 

Voice calling for an OTP is the notion of using an existing landline or cell phone to receive an automated voice iteration of a one-time password code.

PROS:
  • Most voice calling OTP methods leverage existing phone infrastructures.
  • Typically uses a hosted text-to-speech service.
  • Avoids security issues inherent in person to person transferal of sensitive data; the shared secret stays between the end-user and the server.
CONS:
  • Requires an already established, dedicated landline to function.
  • If using with a cell phone, signal and battery life are a must for adequate performance.
  • Often, using a hosted text-to-speech service incurs cost per-use.

 

SMS Text Messaging

 

By using an SMS text messaging system for OTP delivery, an employee can leverage their cell phone easily to receive and view the OTP.

PROS:
  • No additional hardware or infrastructure is required to leverage this delivery method.
  • Companies can often make use of telephone companies’ existing SMTP-to-SMS gateways.
  • Quick Delivery if using 3rd Party Messaging providers.
CONS:
  • Requires a reliable cell phone signal and battery life.
  • May result in occasional SMS delivery failures
  • Use of 3rd Party Messaging providers often incurs a per text charge

 

Email

Using e-mail delivery as an OTP method is an option of security is something that may be sacrificed for usability. If an e-mail account is enrolled alongside a user account, OTPs may be sent to that address for use in verification.

PROS:
  • Cost Effective.
  • Simple to use
  • Provides Easy Access to OTP without risking Timeouts
CONS:
  • Less secure than other OTP or Two-Factor Authentication methods.
  • Depends on consistent access to e-mail account without being logged in to the server

 

As you can imagine: there are plenty of options for any situation or compliance requirements. With the increase in mobile technology in the past few years, mobile authentication is quickly becoming the easiest way to enable two-factor authentication and one-time password benefits. For users who want complete control over authentication methods, and would like to leverage multiple protocols within a single environment, PortalGuard stands out above the rest. With PortalGuard, customization by user or user group is simple and easy to maintain with support from a team of experienced experts. When you can have everything wrapped up in a nice little package, why settle for less?

 

multilayer authentication solution

Please follow and like us:
0
Christopher Perry

Author: Christopher Perry

Christopher is a Technical Support Engineer and content generator here at PistolStar, Inc. He has a Master’s Degree in English from SUNY Albany, and enjoys reading and writing about all things: especially poetry, science fiction and fantasy. Christopher’s daily tasks see him using his customer service and IT experience to improve written content for PistolStar, Inc., while working with customers to provide the best experience possible.

13 Comments

  1. My brother recommended I might like this website.
    He was entirely right. This post actually made my day. You can not
    imagine simply how much time I had spent for this information! Thanks!

  2. Admiring the hard work you put into your blog and detailed information you provide.
    It’s nice to come across a blog every once in a while that
    isn’t the same out of date rehashed material. Great read!

    I’ve saved your site and I’m adding your RSS feeds
    to my Google account.

  3. When I originally left a comment I appear to have clicked on the -Notify me when new comments are added- checkbox and from
    now on every time a comment is added I recieve 4 emails with the exact same comment.
    Perhaps there is an easy method you can remove me from
    that service? Many thanks!

  4. Hi, Nice submit. Likely to situation together with your website in web browser, may possibly take a look at? Firefox nonetheless could be the market place fundamental in addition to a big section of others is going to overlook a person’s amazing publishing for this challenge Android Review.

  5. Hi there to every one, for the reason that I am in fact eager
    of reading this blog’s post to be updated regularly. It carries pleasant data.

  6. Thiis is very interesting, You are a very skilled blogger.

    I have joined you rss feed and look forward to seeking more
    of your excellent post. Also, I have shared
    your site in my social networks!

  7. Always a major fan of linking to bloggers that I appreciate but do not get lots of link adore from.

  8. I needed to thank you for this great read!! I absolutely enjoyed every little bit of it.
    I have got you book-marked to check out new stuff you post…

  9. Thank you a bunch for sharing this with all folks you actually recognize what you are speaking approximately! Bookmarked. Please additionally talk over with my site =). We may have a link change contract among us

  10. There’s definately a lot to find out about this subject.

    I like all of the points you have made.

  11. Thanks for share, great article.

  12. Excellent post, i did read it twice so sorry for this, i have passed it on to my friends, so confidently they should
    like it as well.

  13. OTPs have become necessary in our day to day transactions and OTps make our transactions secure over the internet.

Leave a Reply

Required fields are marked *.


Main menu