One-Time Passwords
One-Time Passwords are a special authentication scheme for use over insecure lines without the need for complex encryption and utilizing the normal login procedure. They can usually be safely used with telnet or plain ftp for example. The basic idea is to use a different password each time authentication is needed and to never reuse a used password. Also it must not be possible to easily compute yet unused passwords even with complete knowledge of all used passwords so far.
There are two types of One-Time Password systems:
- Pregenerated lists of completely random passwords, and
- Systems based on a non-inversible function, e.g. cryptographically secure hash functions
Pregenerated lists
In these systems a list of several passwords is generated, usually using a cryptographically strong random number generator and distributed to the user. The authenticating system retains a copy of the list for each user and when authentication is to be performed the user picks a password from her list and uses it. When the authenticating system finds that the password is in its copy of the list the authentication succeeds and the password is marked invalid or deleted from the list.
- Benefits:
- Strong random generation means there is no way to predict one of the valid passwords with significantly higher probability than pure chance.
- Drawbacks:
- The user must keep the list of valid passwords with her all the time, when she wants to do authentication.
- The list must be transferred to the user in a secure manner.
A typical example for these systems is the PIN/TAN-Verfahren used by most German banks. Each TAN is a One-Time Password that was randomly generated and only valid for authenticating once.