Blog post

Perspectives on OTP Authentication and Migration

By Mark Diodati | April 01, 2011 | 0 Comments

At last measurement, authentication dialogues were 25% of the total number of dialogues in our Identity and Privacy Strategies service. A common dialogue request goes something like this: “We have a one-time password (OTP) authentication solution. We want to evaluate another vendor’s lower cost OTP solution, or a smart card solution for physical and logical access. What are the decision factors?”

If the client wishes to move to smart cards, then we discuss when the next OTP renewal is coming. The renewal is a milestone because it requires a cash outlay and represents a commitment to the OTP solution for several years. The typical answer is that the renewal is coming six months. A client in this situation will not be able to move to smart cards; Smart deployments are multi-year engagements (particularly if physical access control systems [PACS] are involved).

If the client is in a position to move to another OTP vendor, the question of application support arises. Authentication solutions are useless if they don’t work with the customer’s applications. If the current OTP solution is protecting many different application types, the customer may need to make a decision about moving to another vendor—at the expense of excluding one or more specific applications from protection. If the client is using the OTP solution for RADIUS-based applications and a small list of web platforms, a switch is likely possible.

Given all these complications, few customers elect to switch OTP vendors because of inertia. First, the customer has invested time and money implementing the current OTP solution. Customers typically have “rolling” token renewals, so a multi-vendor solution would be required for a period of time (most likely years).

In IT you CAN replace anything with time and money, but it is best not to underestimate the effort of doing so. Some OTP vendors provide a RADIUS proxy to broker authentication requests back to the original OTP infrastructure, which can help with transitioning to another OTP solution.

Let’s work from the perspective that the customer is concerned that specific OTP devices have been compromised. Are other vendors’ OTP solutions immune from this type of compromise? Is it faster and cheaper for the customer to distribute replacement OTP devices from the first vendor, particularly if the vendor provides free replacement tokens?

To me, the macro-level dialogue we can (and do) have with our customers is about matching authentication methods to resources based upon risk. All authentication types have strengths and weaknesses. Even the gold standard for authentication—the smart card—can be compromised: once the user has authenticated to the smart card, a trivial piece of malware can send data down to the card for private key signing functions, enabling the attacker to authenticate to PKI-enabled applications. OTPs are subject to man-in-the middle attacks, particularly in consumer phishing scenarios. Consumer authentication solutions have holes in them (e.g., lightweight device IDs that are easily impersonated, risk analytic solutions with high false accept rates). Software PKI solutions are subject to many of the same types of attack as passwords. In the end, the layering of authentication methods and other techniques can improve identity assurance. My blog post from 2007 discusses these concepts in more detail.

Recommended Reading (subscription required):
Authentication System Selection Decision Point
Road Map: Implementing OTP Authentication
Road Map: Implementing Smart Card Authentication (soon to be published)

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed