Securing the data that employees carry around as they go about their daily business is priority No. 1 for businesses today. The stakes are high: Data loss is just the kind of incident that can give a business all kinds of publicity for all the wrong reasons.

But many enterprises large and small continue to rely on antiquated password technology to secure many of their critical systems. Passwords are only as secure as the individual generating them, and security takes a hit when users neglect to develop strong passwords and instead rely on easily remembered character sequences. One-time password technology claims to resolve this issue by generating passwords that constantly change.

Sophisticated Defenses Needed

A huge reason why OTP (one-time password) technology?/font>and other security technologies?/font>is gaining attention is the ongoing threat from increasingly sophisticated phishing, pharming, and malware attacks perpetrated by criminals motivated by financial gain, says Larry Hamid, CTO of MXI Security. “The movement is no longer just hackers but is now in the domain of organized crime,” says Hamid. So, he adds, OTP technology is a good way for organizations to provide stronger user authentication and prevent identity theft.

Bruce Schneier, founder and chief technology officer for BT Counterpane (http://www.counterpane.com/), a provider of managed security services and security consulting, says one-time password technology makes a lot of sense for providing employee access into corporate networks. But many companies remain mired in old security technologies that no longer work well with today’s sophisticated attack methods. “I am continually amazed by the number of businesses that still rely on password-only authentication,” says Schneier.

How OTP Works

As the name implies, OTP relies on the generation of unique, one-time passwords to provide connection security. OTPs, as Hamid points out, are in theory not reusable, so if an attacker manages to obtain one, it won’t do him or her any good.

Schneier says OTP’s main advantage is that it’s immune from password sniffing attacks. “If someone manages to get your password, either by intercepting the communication or watching over your shoulder, it doesn’t give them access to your stuff,” he says.

There are a variety of ways to deliver OTP security functionality; these include time-based, counter-based, challenge-based, and mutual authentication, says Hamid.

With time-based OTP, for example, a token carried by the user generates a unique numeric sequence every minute or so, and the user uses this numeric sequence to provide authentication. According to an RSA Security whitepaper, the token carried by the user and the authentication server share a secret credential, which an algorithm uses to generate a unique, one-time password. RSA Security’s SecurID implementation also provides users with a PIN, which is entered into a system in combination with the OTP to supply two-factor authentication and gain entry into a system, such as a corporate network.

Other approaches use an algorithm to generate unique passwords. For example, in challenge-based OTP, a user has to input a challenge into the system, which is then used to generate a new, unique password that can be used for authentication. Or, in other cases, a new password is mathematically generated using a previous password as a “seed.” (A challenge is a way to “convince” a verifier that the user trying to gain entry into a system is a legitimate user. The user trying to log in to a system is challenged to provide the right credentials, and the response is either correct or not.)

Challenges To OTP

Is OTP the panacea to solve all security problems? Of course not. Even though OTP is a much stronger security technology than simple username/password authentication, the technology is not without its shortcomings.

BT Counterpane’s Schneier says one OTP drawback is that it’s often used in instances when authentication is not the problem. For example, Schneier explains in a recent “Crypto-Gram Newsletter,” the two-factor authentication provided by OTP solutions doesn’t help against the types of newer, active attacks, such as phishing and Trojan horses. According to Schneier, two-factor authentication solves the security problems posed by yesterday’s passive threats, such as eavesdropping and password-guessing, but does little to counteract today’s more sophisticated threats, which are predicated on perpetrating fraud through impersonation.

MXI Security’s Hamid says OTP may require additional devices for institutions to deploy and manage. Also, OTP has the potential to inconvenience users, who now have to enter the numeric sequence displayed by their token to gain access onto, for example, a corporate network. So users must carry their OTP tokens or devices with them at all times or risk losing their access.

“OTPs by themselves do not solve the identity theft problem,” says Hamid. For example, he adds, OTPs are vulnerable to "man in the middle" attacks, so multifaceted authentication and data protection solutions are needed to defend users and data against sophisticated attacks. According to Hamid, MXI Security's technology goes beyond OTP by providing up to three-factor authentication with biometric, password, and ownership of the device being required to generate an RSA SecurID OTP passcode.

MXI’s Stealth MXP line of portable security devices provides various methods for securing data carried on the devices and for authenticating users. For example, the Stealth MXP portable USB drive provides three-factor authentication using biometrics, a password, and a digital key. Other devices in the product line, such as the Stealth MXP Passport or the Stealth MXP Bio Token, provide various combinations of security technologies, including password authentication, biometric authentication, and two-factor authentication based on biometrics and password.

Be Vigilant

Data thieves are an industrious lot, constantly working to improve the methods they use to separate their victims from their identities, their money, and their data. As long as technology continues to be an integral part of everyone’s business and personal lives, the cat-and-mouse game between data thieves and data owners will continue. Security experts and administrators cannot afford to rest on their laurels because as soon as they build a new mousetrap, along comes a better mouse ready to run circles around technological defenses. For better or worse, vigilance is the name of the game.