Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Distributing one-time passwords

  1. #1
    Junior Member xqus's Avatar
    Join Date
    Apr 2006
    Posts
    15

    Distributing one-time passwords

    I'm working on a web service that needs two factor authorization, and therefore I need a way of securely distributing one-time passwords. The primary method will be sending a SMS to the users phone with the password, but I need a fall back method in case the user don't have the phone where he is.

    So, there is imho two practical ways for me to do this.
    Create a "card" with n number of predefined password and e-mail this to the user in advance.
    Or e-mail the user just one password instead of sending the password on SMS.

    The problem is that e-mail isn't the most secure way of communicating, so any ideas on how to do this more secure, or any thoughts at all?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    The reality is that if you cannot use the phone, you'll have to use email. You can limit it to a non-webbased email account (e.g., gmail, hotmail, yahoo, etc.) but the reality is short of sneaker-net, you are left with email as the only mechanism to send a notification to.

    I think the one time password is a better option. It forces the user to change their password when they log in. Additionally, you could include questions that the user has pre-defined as to who they are when they first registered (e.g., your first pet's name, favourite tv show, shoe size, etc.).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    I fully agree with MsM and would also recommend a single password sent via email, that requires a new password to be provided upon first login of the user.

    Naturally, if the user responds informing you that they are not able to log in (so someone else logged in using the stolen password, and was then forced to change the password to something different) - at this point you could investigate any security breach. But until this happens, stress less.

    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  4. #4
    Junior Member xqus's Avatar
    Join Date
    Apr 2006
    Posts
    15
    Sounds fair enough. I'm not looking for same security as online banks, but I'm aiming close.
    So what I have now is regular username/password login with a one time password sendt to the user on either phone or email. This is also required when making changes to the account eg. changing the password.
    I've also looked at integrating YubiKey support (mine is on it's way from the store now) but I'm not sure if there is a security benefit replacing the one time passwords from email/sms with one from the YubiKey other than the danger of someone eavsdroping the email communication.

  5. #5
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    I suppose that the level and type of security required, is the requirement for security.

    For instance, to prevent people from accessing a system, you would want a strong logon password.

    However, if accessing the system is accepted, but there are important documents you want protected, then file encryption is required.

    I'm working on a web service that needs two factor authorizationI'm working on a web service that needs two factor authorization
    Why does it require 2 factor authorisation? Typically, a secure website (including major banks) has a secure website with a valid certificate, and a username/password based system for the end users. I do know of some banks that use 2 factor authorisation:

    Two-Factor Authentication Basics
    Two-factor authentication is a security process in which the user provides two means of identification:
    one of them is a typically physical token, such as USB flash drive or smart-card,
    and the other one is typically something memorized, such as a security code or PIN code for USB flash drive.

    In this context, the two factors involved are sometimes referred to as something you have and something you know.


    --

    Maybe you will want to setup a smart-card ?
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  6. #6
    Junior Member xqus's Avatar
    Join Date
    Apr 2006
    Posts
    15
    The reason I want to use 2FA is simple. Users are not able to choose a secure password and store it in a safe way. Therefore the "something they know" aspect isnt safe enough in my oppinion. Something they have, their mobile phone is much more likely to be kept secure, and disabled if stolen.

    There are no banks in Norway that does not use 2FA, most uses tokens, but as a free service this is unlikely. Some other banks i Norway uses pre defined passwords that you get in the mail on a paper, and some uses one time passwords sent to your mobile phone.
    As I wrote I plan to add YubiKey support for users that want to buy one, but for the rest I need an alternative method.

    My website has offcorse a valid certificate but this does not help me identifying the users. A client certificate is an option, but I still have a problem issuing theese. They are also unpratical because my service will be used from all the users locations. Home, work and probaly computers that don't belong to them.

  7. #7
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    Cool.

    Well in this case I would advise speaking with someone who has experience in token/smartcard access, and discuss the implications and how it would roll out.

    You mentioned a couple of products earlier, perhaps give their sales and support team a call, get a quote and then find an alternative method of rolling out the system - such as purchasing a different, DIY product.

    There are so many checkboxes to mark for this kind of system to be easily/successfully rolled out and administrated, not to mention the cost of any licensing and the smart cards themselves. Unfortunately, I have never tackled a project like this and dont have any further advice.

    Good luck

    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  8. #8
    Junior Member xqus's Avatar
    Join Date
    Apr 2006
    Posts
    15
    Well, thanks for the advice and input. This discussin has proven helpfull, and since this topic is not wery much discussed around the net it's hard to get any feedback at all. So every bit of input is appreciated.

    The whole point is to keep the administration to a minimun, minimizing the risks of screw ups.
    I will report back later with the finial results if anyone is interested.

  9. #9
    Keeping The Balance CybertecOne's Avatar
    Join Date
    Aug 2004
    Location
    Australia
    Posts
    660
    since this topic is not wery much discussed around the net it's hard to get any feedback at all
    I can only imagine that this solution is rarely used by admins/companies that would use the internet as an information resource - and that large corporations that have this implemented keep everything inhouse and secret like, and discuss solutions directly with the vendors using their gold class partnerships.


    CTO
    "Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
    - Albert Einstein

  10. #10
    Junior Member
    Join Date
    Jan 2010
    Posts
    1

    Smile Why not use Umikey?

    Quote Originally Posted by xqus View Post
    Sounds fair enough. I'm not looking for same security as online banks, but I'm aiming close.
    So what I have now is regular username/password login with a one time password sendt to the user on either phone or email. This is also required when making changes to the account eg. changing the password.
    I've also looked at integrating YubiKey support (mine is on it's way from the store now) but I'm not sure if there is a security benefit replacing the one time passwords from email/sms with one from the YubiKey other than the danger of someone eavsdroping the email communication.
    Just wondering why not support Umikeys first? Since it is robust and much more affordable to all.

    I've been using Umikey on Mashedlife and it works like a dream. The auto-navigation and OTP generation work on both my German keyboard and English keyboard, and on Linux, Mac and PC. And the price is reasonable that I bought a bunch with ~ $5 each.

    Thanks for inputs

Similar Threads

  1. Replies: 43
    Last Post: July 22nd, 2007, 09:28 AM
  2. Asking smart questions
    By pwaring in forum Other Tutorials Forum
    Replies: 60
    Last Post: October 22nd, 2004, 09:15 PM
  3. Replies: 1
    Last Post: July 15th, 2002, 03:46 AM
  4. Batch File Tut
    By Badassatchu in forum Non-Security Archives
    Replies: 1
    Last Post: November 23rd, 2001, 11:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •