jump to navigation

Using a One Time Passcode instead of a Username/Password September 29, 2013

Posted by bkrugman in Security.

With technology constantly advancing, the way that users interact with secured accounts needs to constantly change to ensure that a persons information is kept secured.  If you look at how security and passwords were handled prior to the global adoption of the internet you would see a lot of individual applications that would maintain their own personal user databases.  While this could work and keep information secure in the past, this method does not seem to be as secure as it once was.  Part of the reason is because to compromise a desktop application, someone would have to get control of the desktop to be able to access the information.  Now however there is a push to allow for information to be accessible and usable from virtually anywhere.  Since this information is no longer secured to an individual’s machine the security models need to be able to adapt with the times.

Looking through David Chou’s article “Strong User Authentication on the Web” [1] I started to think about some of the security mechanisms that he presented.  The area that I thought about the most was the Multifactor Authentication examples that he provided.  As users are wanting to have more access to their data no matter where they are, I started to think about what types of mechanisms can be implemented to help secure the data, as well as provide the user with the best experience.  This led me to the idea of the possession-based authentication that allows for more security than just a simple username and password.  Since the adoption of smart devices has been growing this provides a great opportunity for companies to leverage the possession-based authentication without having to provide additional physical hardware.  Also, for the user experience, if a user has to maintain multiple passcode devices to allow access to the different accounts it adds a level of annoyance to the user because they would need to keep track of which physical device is for which account.  However, if a company would leverage a smart device to account for the possessed device then they could implement a way where they can generate a distinct login for the user.  To increase the security a company could not prompt users for a username, password and passcode like a lot of companies do now, but rather have them enter a single one-time generated code that would be a combination of the username, password and passcode.  By removing the username and password piece it makes it even harder for the information to become compromised, because the one-time passcode would be built by an algorithm to ensure that it is unique and extremely difficult to break.  The question that I pose though is would you be willing to provide a smart device for a company to setup an application on to generate the one time passcode?  There are a lot of different instances where this occurs in the mobile world, but by doing something like this a person does potentially lose some privacy.

Overall I think Mr. Chou’s article provides a lot of different aspects of how strong authentication needs to be implemented within a mobile and web architecture.  I have however, focused on a single instance of multifactor authentication that he describes within the article.  If you were given the option to setup a bank account, or some other account that you constantly access with a one time passcode that would be generated on your smart device without the need to enter a username/password would you set this type of authentication up?



[1] David Chou. “Strong User Authentication on the Web”. August 2008. Online http://msdn.microsoft.com/en-us/library/cc838351.aspx




No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: