25: What is a OTP?
Audio Cast:
Takeaway Points:
OTP stands for one time password
As part of the authentication process this still sits under the “something you know” category as it is essentially a shared secret between the subject and verifier
OTPss are designed to be dynamic - that is they change regularly and have a short life span
This dynamic aspect helps to reduce theft and re-use activity by adversaries
OTPs are now regularly added to the login process to provide a greater level of authentication assurance than just a username and password
The main ways of using OTPs can be described from two camps: verifier generated and sent and client generated
Verifier generated, means the service you are logging into generates the OTP and then delivers this back to the identity - the two popular ways being by SMS text message and email
This requires pre-registered mobile number and/or email address on the identity’s profile
This is a relatively convenient way of leveraging OTPs as the end user doesn’t require any additional apps or tools
However text messages and emails can be intercepted, mobile phones stolen and email accounts accessed by adversaries - essentially meaning a delivered OTP should really be classified as a “legacy” MFA component
Other OTP usage includes the end user generating a OTP via an app on their mobile - typically called “authenticator” apps
This process uses a standard protocol (called OATH) to generate either time based or counter based OTPs
This generation process uses a “seed” which is unique to the end user and known by the verifying service
The seed is generated and transferred to the app (perhaps via a QR code) during user enrolment
The end user then opens the app and uses the most recently generated OTP and enters via a login page on the service
OTPs can be phished - via adversarial websites that look legitimate
Useful Links:
Description of time-based OTP
TOTP RFC