Home Page ContentPress Releases Are OTP tokens secure?

Are OTP tokens secure?

by david.nunes

 

Monday 8th August,

 

Are OTP tokens secure?



There’s a lot of chatter at the moment, for understandable reasons, about whether OTP tokens  can still be considered secure. But according to Julian Lovelock, Senior Director, ActivIdentity, a global leader in secure identity solutions, part of HID Global, there’s no black and white answer.

Julian Lovelock stated: “Much of the concern around the security of OTP tokens stems from their underlying reliance on a symmetric key model. What that means in practical terms is that you need to load into the authentication server an exact copy of the key that’s injected into the OTP token . These keys, often referred to as ‘seeds’, therefore need to be managed. And the processes and systems that manage those keys/seeds are great places for attackers to go after.”

“When determining whether OTP tokens are secure enough, enterprises should take a look at how the keys are being managed. In many cases the process is as follows. The token vendor injects a key into the token during manufacturing. In parallel a seed file is created containing all the keys for a batch of tokens. The tokens are shipped to the customer along with the seed file. An administrator at the customer site loads the seed file into the authentication server,” he continued.

According to Julian Lovelock there are actually six potential points of compromise in the chain:

1. The manufacturing process that generates the seed file
2. The transport of that seed file to the customer site
3. The management of that seed file on site, prior to being loaded into the authentication server
4. The secure storage of the seed file within the authentication server
5. The retention by the customer of that seed file (often on a CD) subsequent to its being loaded into the authentication server
6. The retention of that seed file by the OTP token  vendor

Julian Lovelock continued: “A far more secure model is one in which customers can initialise OTP tokens  themselves from the admin console of the authentication server. In this model those pesky seed files are removed from the process because the key is simultaneously injected into the token and authentication server database. This eliminates five of the six potential points of compromise that attackers can go after,”

“Going forward security vendors who use this model will no doubt take extraordinary steps to ensure that seed files can’t be stolen from their internal systems. But, if you have six unlocked doors in your house, then just locking the one the burglars came through last time doesn’t necessarily make for a secure home. Of course there is a way to avoid all six points of compromise, which is to deploy smart cards , since these rely on an asymmetric key model,” concluded Julian Lovelock.

 

 

 

 

About ActivIdentity

 

ActivIdentity™ Corporation is a global leader in secure identity solutions, enabling customers to confidently establish trust in online activities. Over 2,500 enterprise, online banking and government organisations rely on ActivIdentity’s authentication and credential management solutions to meet their security and compliance requirements. ActivIdentity is headquartered in Silicon Valley, California. ActivIdentity is part of HID Global , an ASSA ABLOY Group brand. For more information, visit www.actividentity.com .

 

 

ActivIdentity Media Contact:
Mital Goel / Richard Merrin
Spreckley Partners Ltd.
T +44 (0)207.388.9988
ActivIdentity@spreckley.co.uk

 

 

Related Articles

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More