How one-time passwords fit in with multifactor authentication

What is a one-time password system? Does it count as a second authentication factor? Can it improve authentication security whether it is a second authentication factor or not?

Multifactor authentication is a term used to describe security mechanisms that make use of two or more distinct forms of authentication to increase the difficulty of circumventing, cracking, or otherwise getting past normal authentication protections. The key to multifactor authentication is that each "factor" is a different category of authentication mechanism, and not just a second authentication request using a different instance of the same category of mechanism.

Authentication factors are often identified as belonging to one of three categories:

  • Something You Are: This refers most often to biometric identification.
  • Something You Have: A smartcard, cellphone, or specific laptop computer may serve as this authentication factor.
  • Something You Know: The most common example of this authentication factor is a password.

A one-time password system is normally part of the Something You Know category of authentication factor. It is, however, a generally more difficult nut to crack (pun intended) for malicious security crackers. A more typical password system presents you with a prompt, and entering the single password you have memorized for the system at that prompt gets you into the system. A one-time password system, however, uses a different password every time you want to authenticate yourself. Each password is used only once; thus, the term "one-time."

The way you get your one-time passwords for entry into the system varies from one one-time password implementation to another. Good systems tend to involve an algorithmically predictable series of passwords over a limited span of time generated in two places: on some kind of one-time, password-generating token or software, and on the system where the one-time password should be entered. Unpredictability for outsiders is introduced by the (cryptographically) random selection of a starting point for the series and what cryptographers call "salting", where the output of the system is determined in part on some secret variation injected into the algorithm's operation. Such predictable series are typically only predictable in one direction, and are used in reverse, so that gaining access to a given one-time password in the series will only allow one to predict one-time passwords that have already been used.

Depending on how strictly you define separation of authentication factors, and on how you implement a one-time password system, introducing one-time passwords to your authentication scheme can provide multifactor authentication security. An implementation that involves the use of a separate hardware token, such as a USB device or smartphone that reveals the next password in the cycle when needed, qualifies as "something you have". The fact that the password must then be entered at a prompt the same way a more traditional, reusable password is entered might prompt some to disqualify this as a second authentication factor because it is conceivable that certain types of attacks can compromise both the reusable password and the one-time password, thanks to the way the password verification of each of the two authentication methods will likely use the same effective implementation of at least part of the process.

Regardless of whether you consider a one-time password system a strictly defined second authentication factor, it can at least provide some of the benefit of multifactor authentication, and make it more difficult for unauthorized parties to get through the authentication process. Operating systems like Debian GNU/Linux and FreeBSD offer easy installation and configuration of one-time password systems, and the Android Market offers a plethora of one-time password applications that can turn your smartphone into a separate hardware token for use in your one-time password system.

The biggest benefit to a one-time password system is probably that it avoids some of the danger of your network traffic being sniffed or a keystroke logger recording everything you type. Certainly, if there is a keystroke logger on your computer you should do something about it anyway -- but if a keystroke logger is there and you do not realize it, at least recording a one-time password will not give a malicious security cracker a password that actually provides access to the system later.