Printable View
Hi folks,
One time password (OTP) OR Tokenless Password to replace the token.
I have been searching for OTP software on Sourceforge and Freshmeat, used to replace the hardware token. They brought me hundreds of software suggestion.
Any folk has previous experience on OTP? Please shed me some light. Pointers would be appreciated. TIA
B.R.
satimis
Hi satimis ,
You asked if anyone had experience of OTP and Tokens, well yes I have and I can tell you how we have used them and how I have seen them used. Please do NOT take this as a recommendation or best practice statement. This is just how I have seen it done.
Take the RSA (keyfob) Token. It gives you a number that changes every 60 seconds and is used in conjunction with your personal password. This is the "something you have and something you know" concept.
This is useful for multiple sites and large sites with mobile staff. They log off at one location and can immediately gain access at another, with a fresh authentication. Their user ID and the password/key gives them a unique identification.
OTPs are exactly that. As soon as you log off you need a new one. This is the sort of thing you would give to a contractor, visiting software engineer, student sitting an exam and the like.
In my experience OTPs require more careful management and are best for people who are only going to be around for a short while. They are a potential security weakness in that the temptation is to leave a workstation logged on whilst you go somewhere else.
Tokens are more secure in this respect, as there is no problem with logging off as you know you can get back on as soon as you like.
They are best for staff who are mobile and who are going to be around for a reasonable period of time.
That is a quick overview. Obviously there are all sorts of subtle variations that can be introduced to improve the security of both methods.
:)
Hi
I got the approach of OTP's but i am confused on their real-life implementation.
How does a user gets a new passowrd ?