Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
[Type text] One time password (OTP): Trust Elevation Method: Access to network resources can be controlled through the use of a User Name / Password with the possible combination of One Time Password. A one-time password (OTP) is a password that is valid for only one login session or transaction. OTP requires additional technology in order to work. OTP are dynamic and avoid many of the shortcomings that are associated with static passwords. In theory OTPs are not vulnerable to replay attacks. There are many approaches for the generation of OTPs. 1. Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) • Time-dependent authenticators base their OTP generation on time intervals. A password is valid for a given amount of time. • Can be implemented with small key cards that are equipped with digital displays. The card displays a unique numeric combination that has been randomly generated by the hardware token. • To be authenticated, users enter their personal PIN numbers, followed by the current OTP displayed on their key card. 2. Using a mathematical algorithm to generate a new password based on the previous password (OTPs are effectively a chain and must be used in a predefined order). Generate of OTPs randomly. Some token generators allow the users to generate the OTP by entering a PIN. • 1 3. Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter. Smart Devices that a user carries can be used to generate OTP. The token can be generated using software that runs on the smart device. [Type text] OTP can be sent out through SMS to users or other out of band methods OTP over text messaging may be encrypted with variable vulnerabilities SMS based OTP have vulnerabilities There are threats from hackers, phishing and stealing. The mobile phone operator becomes part of the trust chain. hackers may mount a MITM attack. OTPs can be printed on paper that the user is required to carry Some providers offer web based methods for delivering one time passwords without the need for tokens. Example includes the use of pre-chosen categories from a randomly-generated grid of pictures. Each picture in the grid has a randomly generated alphanumeric character overlaid on it. User enters alphanumeric characters associated with the preset category to form the OTP. OTP helps to eliminate a number of system vulnerabilities, such as password cracking, password sniffing, brute force attacks, and social engineering. Usability is a problem in particular with OTP systems that utilize hardware key cards, since those users are required to use their keys every time they login. Vulnerable to theft, PIN stealing, forgotten at home or stolen PINs. Questions: Which party is performing the method? How does the method improve trust? Relying Party/ Identity Service Provider/ Network This method can improve trust if done properly. Trust is improved through the use of dynamic passwords N0. Method is vulnerable to eavesdropping. How does the method address the threat of eavesdropping? How does the method address the threat of online guessing? How does the method address the threat of replay attack? How does the method address the threat of man in the middle? How does the method address the threat of spoofing and masquerading? This method is somehow vulnerable to online guessing. This method solves the problem of replay attacks. This method is somehow vulnerable to man in the middle attacks This method is vulnerable to spoofing and masquerading 2 [Type text] Are there implementation requirements for improving trust? If so, what are they and why are they necessary? Elevating Trust and counter measures Organizations need a multi-faceted defense against password vulnerabilities o Use a secure OTP method Are there privacy and/or confidentiality issues engaged when using the method, such as user consent for attribute release/exchange? Are there reasonable solutions for potential privacy impacts? What are the usability issues when using the method? Are there reasonable solutions for potential usability impacts? TBD Initial NIST LOA 0 1 2 Resulting NIST LOA This method is very common with users. Comments This is a single factor LOA 2 regardless of the OTP strength When performed with a previously registered phone that is subscribed to by the user, can constitute a second factor hard token. 3 4 Just for grins, I’ve added the M 04-04 risk/assurance table. It continues to make perfect sense. TBD Table 1 – Maximum Potential Impacts for Each Assurance Level Assurance Level Impact Profiles Potential Impact Categories for Authentication Errors Inconvenience, distress or damage to standing or reputation Financial loss or agency liability Harm to agency programs or public interests Unauthorized release of sensitive information Personal Safety Civil or criminal violations 1 2 3 4 Low Mod Mod High Low Mod Mod High N/A Low Mod High N/A Low Mod High N/A N/A Low N/A Low Mod Mod High High 3