The topic of the secure distribution of one-time password (OTP) secrets recently surfaced again as part of our ongoing mobility research.
Many organizations make the classic distribution mistake; they couple a weak identity proofing mechanism with the deployment of stronger authentication systems1. In our research, I call this an “impendance mismatch”. For example, if an organization distributes the OTP secret via email, in many cases a password is all that is needed to procure the OTP secret. Let’s pause for a second to think about all of the places where the user typically embeds an Active Directory password: Outlook on the PC and in the native smartphone email client. This distribution process significantly diminishes the value of the OTP system.
An automated out-of-band identity proofing mechanism via telephone can provide a user-friendly and cost-effective solution (other identity proofing mechanisms exist, too). I have seen many organizations try to fix the identity proofing problem after deployment because they have little confidence that the OTP secrets are in the hands of authorized users. It can cost as much as ten times the initial deployment.
Another concern looms over the horizon. Now that tablets deliver a viable user computing platform, the value of on-device OTP generation should be re-evaluated. It blurs the multi-factor “what you have and what you know” concept. Tablet malware will be able to capture the user’s OTP PIN, run the OTP device API to generate the OTP, and then replay both bits without user knowledge. This vulnerability may already exist for tablets; it exists for PCs. Value remains for placing the OTP device sur la table(t), because it can help mitigate network attacks. I chose the word “mitigate” carefully; no authentication mechanism is bulletproof—not even hardware-based OTP devices and smart cards.
Roadmap: Deploying One-Time Password Devices (subscription required)
1 Good question! The nuance of dynamic secret generation a la CT-KIP/DSKPP does not fix the problem.