We’re often asked why we dont support One Time Passwords (OTP) as integrated part of G/On. First I need to say that we do support a range of OTP solutions, but it is true that we do not include OTP in our baseline configurations. There is actually an analysis behind this decision that I would like to share with you.

Firstly the primary logon security must be based on a username and a secret password (first authentication factor). It is all about securely and unambiguously identifying you! That is the only objective of the login procedure. Starting with a name (not secret) with an associated password that only you know – supposedly – must therefore always be the starting point for any secure login solution. It is another discussion how you make sure that your passwords are strong and remain secret.

To add additional security, a second authentication factor, something you own or posses can be added. This is where a long range of technologies comes into play – just to mention a few: unique tokens, smartcards, mobile phones and the one-time-password technologies we’re talking about here. Wait a minute - isn’t OTP a “password”? No! OTPs is about proving possession of a thing and not about passwords! The term ”one time passwords” is therefore wrong, as it creates the wrong pictures in the mind of the user. OTP’s are not about replacing the password, it is about proving possession of a third, physical authentication factor (the device generating the OTP, a list of pre-generated OTPs etc.). At Giritech we therefore prefer the term ”One Time Passcodes” instead. OTPs (and other second factor technologies) are secondary authentication level solutions. It would be a serious security flaw if you were to replace secret passwords with one-time-passwords!

So when we tried to rate the relative security level of some of the second factor authentication technologies we ended up with the following list:

1. Smartcards. Because the secret key uniquely and unambiguously identifying the smartcard is generated when adopting the card and it never leaves the actual hardware! It is extremely difficult to copy and extremely unlikely that you can guess it – very secure.

2. Realtime generated one-time-passwords. You need a device (e.g. an active token of some sort) that is synchronized with your server and generates a new passcode everytime you use it. The codes are therefore secret until they are needed and can only be used once.

3. Pre-generated one-time-passwords. A list of codes is generated with regular intervals and distributed. The codes are static in the period and have to be distributed (or generated locally) in a safe way – not quite as sacure.

When you factor in the usability of the different solutions, it became clear to us that the solution with the highest security level, smartcards, is actually also the one with the least enduser involvement (when designed correctly). And as we’ve talked about previously, overall security is dependant on simplicity. This means that making it easy for the enduser to correctly use the technologies is a pre-requisite for the overall security of the solution. It should therefore be obvious that smartcard based solutions (or similar unique token solutions) should be preferred over one-time-password based solutions.

This is why G/On will primarily support smartcard based technologies as the standard second authentication factor. We simply believe it is the most secure solution and it even has some very powerful simplification characteristics as well. One-time-passwords can only be an additional ”icing on the cake”. So when will you be ready to replace your OTP solution?