In-Depth
5 Reasons to Replace Your Traditional One-Time Passwords
Millions rely on traditional one-time password tokens. Here’s why your organization may want to replace or augment this approach for perimeter security.
By Chris Harget, Senior Product Marketing Manager, ActivIdentity
When considering a long and widely-used security technology that no longer measures up, you must be precise when making the case for change. Otherwise, many people may become upset that their emperor wears no -- or at least very few -- clothes. Today, tens of millions of people rely upon traditional one-time password (OTP) tokens as a second authentication factor for access to their VPN. These tokens are less secure than they used to be compared to the evolving threats and the relative efficacy of practical new alternatives.
In this article, we will examine five reasons your organization may want to replace, or at least augment, the OTP they use for perimeter security.
Reason #1: Your traditional OTP only covers the perimeter.
While two-factor authentication makes it harder to steal or crack a user credential, most organizations only use OTP to secure VPN access at the perimeter. Unfortunately, the very concept of a perimeter has largely evaporated. Laptops and smartphones physically cross the perimeter daily. Untrustworthy insiders may look over a shoulder and steal a Windows login from inside the perimeter. Cloud-based applications exist outside of an organization’s perimeter. All of these scenarios benefit from strong authentication, but traditional OTP does not provide a second factor for Windows login or cloud app login to hinder unauthorized access.
Consider how easy it can be to compromise a specific laptop, frequently accessible with static passwords. Insiders look over a shoulder, zero-day keyloggers steal passwords, dynamic spear-phishing attacks harvest a static password, rainbow tables renders brute-force attacks practical to crack weak static passwords, and the list goes on. The problem is not that there will always be a new zero-day keylogger or untrustworthy insider stealing a static password. The problem is that the password can be stolen at all. Strong authentication should make it almost impossible to steal login credentials for Windows-, network-, or cloud-based applications. Clearly, perimeter protection is not sufficient, and traditional OTP doesn’t integrate well with the other layers of defense. Something more or different is needed.
Reason #2: Your traditional OTP (RSA) may have been cracked.
We’ve all seen the headlines. The most widely used OTP token manufacturer, RSA, had to have their CEO write a customer letter admitting RSA’s servers were hacked, information about RSA SecureID tokens was extracted and it, “... could potentially be used to reduce the effectiveness of a current two-factor authentication implementation... .” Additional details are sketchy, which further frustrates users. Although there are legitimate reasons RSA would not want to provide too many specifics, experts speculate the database of seed files (“secrets”) used to generate unique token keys was extracted, in effect allowing hackers to forge perfect copies of tokens. RSA may have kept all of these keys in a database that was compromised.
This incident is instructive on two levels. First, whatever strength SecurID tokens had, it is likely less now. A New York Times story of May 27, 2011 indicated data from the RSA breach may have been tied to a major attack on Lockheed’s networks. Second, we can assume RSA used their own OTP tokens and yet still suffered a major breach, further confirming the need for multiple layers of strong authentication noted in Reason #1. Sony, Comodo, and Epsylon also suffered publicized breaches recently, adding to the evidence that the threat level is rising.
Reason #3: It’s possible your legacy OTP vendor is overcharging you.
If you want layers of defense, including at the perimeter, and OTP can at least help with perimeter security, you still might consider replacing your traditional OTP vendor if you’re paying too much for too little value.
Look for these signs you’re paying too much for OTP: Do you have to pay to replace your OTP tokens every 3 or 4 years because of a contract, whether they need it or not? Modern batteries can allow tokens to last 5-8 years, so 3-year replacement cycles are just gouging, and they create a lot of unnecessary administrative labor, cost and not-very-green waste which can easily double the purchase price. Are you using proprietary OTP tokens that restrict your choice of vendors, and cost $30 to $60 each, plus software maintenance? Open standards OATH-based tokens can be purchased for between $12 and $24 depending on the form factor.
Reason #4: More secure alternatives have matured in terms of ease of use and affordability.
Smart cards and smart card administration have become easier in the past year. Smart cards are clearly more secure than simple OTP. Smart cards use digital certificates that can only be produced with a PIN and the smart chip on the card for authentication. Smart cards are trusted by the military, financial institutions, and government agencies. Essentially, smart cards can be used for stronger authentication into VPN, Windows login, and (with SAML2) into cloud-based applications. Furthermore, smart cards can digitally sign e-mail messages, encrypt files at rest or in transit, and hold additional security applets. Hence, smart cards are particularly effective versus insiders, and better at inhibiting the kinds of account escalation tactics hackers use once they have compromised a machine. Smart cards put a defensive screen around each device, providing many individual bulkheads to hinder any breach.
Smart cards have become easier and more affordable because of new credential management system appliances. These appliances come pre-integrated with a certificate authority, embedded database, hardware security module, and CMS software best practice, as well as a wizard for fast integration into your environment. These appliances can make deployment fast and easy, even for a non-specialist. The card plus the card reader start at about $37. Consequently, in many scenarios, smart cards can be as affordable as OTP over a three-year period.
Reason #5: New OTP now plays a different role.
The bar has risen for OTP in its inherent security strength, convenience and integration with the rest of your security layers. Although traditional OTP used fewer keys, making it more vulnerable to hacking, newer OTP leverages time- and event-based keys that make compromise far more difficult. Newer OTP can be an applet on a smart card that is easier to use, never has a dead battery, fits in a wallet, costs less, and is actually more secure. A unique security advantage is that the smart card’s OTP “secret” key is never created by the manufacturer, and only exists on the smart card chip and in your authentication server, hence it less likely to be stolen. The one-time password itself can be pasted from the clip board to speed login and reduce transcription errors, potentially enhancing the user experience.
Even if your organization prefers an evolutionary approach to OTP and wants to keep the key-ring form factor, newer open-standards OATH-based tokens have cost and security advantages over RSA proprietary OTP. These tokens can last for 6-8 years and fit seamlessly into a versatile authentication system that can tune up security dynamically to meet emerging threats.
Chris Harget is the senior product marketing manager at ActivIdentity, part of HID Global, where he is responsible for Enterprise Strong Authentication solutions. You can contact the author at charget@actividentity.com.