by Mark Diodati | April 12, 2012 | Comments Off on OTP Systems And Mobile Devices: Don’t Make The Biggest Implementation Mistake
The topic of the secure distribution of one-time password (OTP) secrets recently surfaced again as part of our ongoing mobility research.
Many organizations make the classic distribution mistake; they couple a weak identity proofing mechanism with the deployment of stronger authentication systems1. In our research, I call this an “impendance mismatch”. For example, if an organization distributes the OTP secret via email, in many cases a password is all that is needed to procure the OTP secret. Let’s pause for a second to think about all of the places where the user typically embeds an Active Directory password: Outlook on the PC and in the native smartphone email client. This distribution process significantly diminishes the value of the OTP system.
An automated out-of-band identity proofing mechanism via telephone can provide a user-friendly and cost-effective solution (other identity proofing mechanisms exist, too). I have seen many organizations try to fix the identity proofing problem after deployment because they have little confidence that the OTP secrets are in the hands of authorized users. It can cost as much as ten times the initial deployment.
Another concern looms over the horizon. Now that tablets deliver a viable user computing platform, the value of on-device OTP generation should be re-evaluated. It blurs the multi-factor “what you have and what you know” concept. Tablet malware will be able to capture the user’s OTP PIN, run the OTP device API to generate the OTP, and then replay both bits without user knowledge. This vulnerability may already exist for tablets; it exists for PCs. Value remains for placing the OTP device sur la table(t), because it can help mitigate network attacks. I chose the word “mitigate” carefully; no authentication mechanism is bulletproof—not even hardware-based OTP devices and smart cards.
Roadmap: Deploying One-Time Password Devices (subscription required)
1 Good question! The nuance of dynamic secret generation a la CT-KIP/DSKPP does not fix the problem.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.