The safest way to pay, bank or work online is with some sort of personal digital security device that verifies your identity. One such device is a one-time password (OTP) token that makes every online login or transaction unique. It ensures no one can fraudulently use your personal information if they steal your password.
Inside the OTP token is a smart card or a microprocessor chip. Think of it as a computer with special security software to protect your digital identity. It uses a complex mathematical formula, or algorithm, and secret keys to generate the one-time passwords.
One of the inputs in the formula is the exact date and time of day, which is synchronized with the server. Since time is constantly changing, it serves as a random number in the formula. This, plus the fact that each OTP token has a unique secret key, make it very difficult to hack.
How OTP Tokens Work
You carry the OTP token with you and use it whenever you login or make an online payment. When you press a button on the device, it displays a unique numerical password you must enter to login. The password changes each time you login, hence the name "one-time password." The server validates that the password is correct as part of the login authentication.
Enhancing Security with Two-factor Authentication
Authentication is proving your identity to an information system or service provider. Using a personal digital security device like an OTP token plus your normal username and password is called "two-factor authentication." It simply means you have to use two different things to prove your identity.
An OTP token makes access to online services or information systems much more secure. With normal password protected access, if someone steals your username and password-through phishing, spyware or looking over your shoulder at work for instance-they can pretend to be you online. When an OTP device is part of the login authentication, even if someone steals your password, they will not have the unique one-time code. The result is they cannot steal your digital identity to log into your online account or your employer's network.
OTP devices make network access far more secure against the aforementioned threats to password-based authentication; however, they do remain vulnerable to a man-in-the-middle attack. This attack is far more difficult for the hacker, however, and is not the widespread, high volume threat to online identity security that phishing, spyware and data breaches are. In this scenario, a hacker is sitting between your PC and the server, relaying communications. When you enter the one-time password, it is actually going to the hacker, not the real server you intended. The hacker will show you a fake access error message and quickly use the OTP password you just entered to login to your account or office network. Since the time of day value has a short period of validity to allow time for Internet communications and the login sequence, the man-in-the-middle attack can work against time-based OTP.
An even more secure solution that eliminates the risk of man-in-the-middle attacks is to use a PKI digital certificate-based system with a smart card or smart card-based USB token as the second authentication factor. (see also, What is a certificate?)
Four things to remember about OTP:
- OTP means one-time password; every time you login, you use a unique password
- An OTP token is a type of personal, portable, digital security device
- Using OTP tokens protects your network identity with two-factor authentication
- OTP tokens have small but sophisticated computers inside them