To
avoid the problems of password sniffing and shoulder surfing, a system could
use a set of paired passwords. When a session begins, the system randomly
selects and presents one part of a password pair; the user must supply the other
part. In this system, the user is challenged and must respond with the correct
answer to that challenge.
This
approach can be generalized to the use of an algorithm as a password. The
algorithm might be an integer function, for example. The system selects a
random integer and presents it to the user. The user applies a function and
replies with the correct result. The system also applies the function. If the two-results
match access is allowed.
Such
algorithmic passwords are not susceptible to reuse; that is, a user can type in
a password, and no entity intercepting that password will be able to reuse it.
In this scheme, the system and the user share a secret. The secret is never
transmitted over a medium that allows exposure. Rather, the secret is used as
input to the function, along with a shared seed. A seed is a random number or
alphanumeric sequence. The seed is the authentication challenge from the
computer. The secret and the seed are used as input to the function f (secret,
seed). The result of this function is transmitted as the password to the
computer. Because the computer also knows the secret and the seed, it can
perform the same computation. If the results match, the user is authenticated.
The next time the user need to be authenticated, another seed is generated, and
the same steps ensue. This time, the password is different.
In
this one-time password system, the password is different in each instance.
Anyone capturing the password from one session and trying to reuse it in
another session will fail. One-time passwords are among the only ways to
prevent improper authentication due to password exposure.
One-time
password systems are implemented in various ways. Commercial implementations,
such as SecurID, use hardware calculators. Most of these calculators are shaped
like a credit card, a key-chain dangle, or a USB device; the current time as
the random seed. others require the user to enter the shared secret, also known
as a personal identification number or PIN, on the keypad. The display then
shows the one-time password. The use of both a one-time password generator and
a PIN is one form of two-factor authentication. Two different types of
components are needed in this case. Two-factor authentication offers far better
Authentication protection than single-factor authentication.
Another
variation on one-time passwords uses a code book, or one-time pad, which is a
list of single-use passwords. Each password on the list is used once then is
crossed out or erased. The commonly used S/Key system uses either a software
calculator or a code book based on these calculations as a source of one-time
passwords. Of course, the user must protect his code book.
No comments:
Post a Comment