Two-factor Authentication Using One-time Passwords

4 1 3,572

User Authentication

Authentication is the process of proving a user’s identity. Typically this is done by comparing what a user knows (e.g. a password) or has (e.g. a fingerprint) with information that the system already knows about that user.

Password-based authentication has and will continue to be the primary means of user authentication for many systems. It’s simple to understand and can be quickly built to protect applications. However, it is good enough only for non-critical services.

Security of Password Based Authentication

Many password based authentication systems are poorly constructed and secured. In addition to factors such as improperly patched machines or improper SSL configuration, password data itself is frequently stored improperly. Passwords may be hashed improperly, or worse, encrypted using weak ciphers and keys. Access to the password database may also not be tightly controlled.

The security of passwords ultimately dependent on the sophistication of the user. Administrators may try to exert influence via password policies but a poorly constructed, guessable or leaked password can compromise an account.

If users do not use long or hard-to-guess passwords, attackers can easily take over their accounts. There is also often insufficient incentive for users to set up complicated passwords because that makes them hard to remember. Users often reuse these weak passwords. Furthermore, password leaks on one system may even compromise other accounts on other systems.

Sometimes, developers use multiples of the same form of authentication. For example, a system may ask you another question like ‘your mother’s maiden name’. This does not improve the security because the security of the system is still dependent on the user’s answer.

Two-factor Authentication

Two-factor authentication (often abbreviated as 2FA or even MFA for multi-factor authentication) combines verifying something you know as well as something you have. For example, a system may use password based authentication (something you know) with one-time password token based authentication (something you have).

One-time Passwords

One-time passwords (OTP) are continuously-changing random numbers. They are generated by a device like a key fob or by an app on a phone and verified by a server. They can also be sent via email, SMS, push notifications, or phone calls.

A user registers the second-factor device during an enrollment process and confirms the setup by sending a sample one-time code. Upon confirmation, all future logins will prompt for an OTP. It is simple to use, and the security is not dependent on the sophistication of the user.

For the discussion below, we will describe how app based OTPs work. Hardware based OTPs have minor differences but are harder to ship.

How Do One-time Passwords Work?

The random number generated by the app is a function of the current time, and a secret, that is shared by the app and the server. Both the server and the app use a Time-based One-time Password based algorithm to generate tokens. You can read more about the algorithm here.

When a user enrolls for one-time passwords using an app, they will see a QR code (a two-dimensional barcode) on the sign up screen. The QR code is a representation of the secret generated by the server that the app can scan and store. The time on the app and the server are assumed to be in sync. The randomness of the secret is determined by the server and not controlled by the user.

After scanning the code, the user completes the enrollment process by sending the server an initial OTP generated by the app. The secret is then encrypted and stored on the server as well as in the app and linked to the user's account.

When a user logs in, the server prompts the user for the OTP that the app generates at that time. The server then decrypts the shared secret tied to that user, applies the TOTP based algorithm on the secret and the current time, generates an OTP and compares it to what the user presents. If the two match, it proves that the user is in possession of the app.

Security of One-time Password Based Authentication

The security of the one password based system depends on how well the secret is protected and how random it is.

A secure random number generator must be used to generate random secrets. The secret must be protected with strong encryption. This would probably use symmetric encryption and a strong key. Rotation of the encryption key is strongly recommended.

Well implemented account lockouts should prevent an attacker trying to guess the secret.

Administrators should be educated to prevent social engineering attacks that aim to turn off two factor authentication.

A more sophisticated attacker could also use keyloggers to capture the user’s passwords and one time passwords to try and guess the secret.

Well configured SSL will also prevent man-in-the-middle as well as phishing attacks that aim to sniff the user’s OTP and replay it to the actual site.

Apigee Two-factor Authentication

Apigee’s infrastructure manages a lot of high-value traffic for many of the world’s biggest digital organizations. This API infrastructure is critical to their business.

Apigee has implemented two-factor authentication that uses one-time passwords for customers who use our cloud. If you are an Apigee customer, we strongly encourage you to log in at https://accounts.apigee.com and turn on two-factor authentication to protect access to your account.

We have a growing security engineering team that enables Apigee Engineering to secure their infrastructure. If you’re interested in working on challenging problems that secure the world’s APIs, get in touch at careers@apigee.com

Comments
willwitman
Staff

Also, check out this new topic in the Apigee docs: Enable two-factor auth for your Apigee account.

Version history
Last update:
‎06-16-2016 08:39 AM
Updated by: