One-Time Password Authenticator

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

Authenticators are devices in the user possession that can generate a one-time password.

Context

  • Security Dynamics invented and patented the "Time-Based One-Time Password Algorithm" which has since come off-patent and standardized as RFC 6238 in May 2011.

Problem

  • Give users a hand-held device that can generate password for access to secure accounts.
  • All of the security is in the place that generates the OTP. The seed for the OTP is a very high-value target and has been hacked at is source from the beginning. [1]

Solution

  • The original Security Dynamics (later RSA, now Dell) Authenticator was a small hand held device that continually generated a password every (eg 30) seconds that could be sync'd with the server.
  • Now Microsoft, Google and others offer Authencators as Smart Phone Native Apps.

The following is a list of some of the Authentictors now in use.

  1. RSA SecurID is the original device. It came in multiple form factors.
  2. Symantec VIP Security Card size of a credit card.
  3. Symantec VIP Security Token size of a key fob.
  4. Feitian MultiPass FIDO Security Key
  5. Google Authenticator Native App

References

  1. Andy Greenberg The Full Story of te Stunning RSA Hack can Finally be Told World (2021-05-20) https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/