New OTP Solution Utilizes Mobile Phones

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

In this digital age, authentication—by password, personal identification number (PIN) or some other form—has become a fact of daily life. Those numbers and passwords are the keys to your castle, granting access to everything from your e-mail to your bank account. Sensitive data is only as safe as the passwords that guard it, and a malicious attacker armed with your passwords can wreak havoc.

Cloud-based authentication specialist Arcot Systems says one-time passwords (OTP) are the solution to dramatically reducing the threat.

"Increasingly we're starting to see attacks on ATMs called skimming attacks," said Jim Reno, Arcot's chief technology officer. "The criminal attaches a device to the ATM that sits over the card entry slot."

Reno explained that the devices are often difficult to spot, especially by a causal user. The device copies the magnetic stripe on the card as the user passes it into the card slot. Meanwhile, a pinhole camera in the device points at the ATM's keypad, recording the user's PIN as it's entered. With both a copy of the magnetic stripe and the PIN, a criminal can easily access the vulnerable bank account and empty it.

"We're starting to see these attacks in different places around the world," Reno said. "We got to thinking that one thing that would defeat that type of attack is if the PIN you are entering is dynamic. You've already used that one PIN during that one session. If [a criminal] tries to use it for a second time, it will fail."

Enter the OTP.

An OTP is a password that is only valid for a single session or transaction. Theoretically, even if a criminal were to obtain an OTP used on an account, he wouldn't be able to use it because it would no longer be valid.

OTPs have been around for some time, primarily in the form of dedicated electronic tokens. European banks also use OTPs in the form of scratch-off cards sent to customers; whenever a customer needs to complete a transaction, he scratches off the next number on the card to reveal an OTP for that session.

However, Arcot thinks the best place to generate an OTP is on your mobile phone or similar device, like an iPod touch.

"It's a device that I'm already carrying," Reno said. "I can use that one-time password in all sorts of different applications and environments."

He added, "People are really aware of whether they have their phone or not. It's an important item for most people. If they lose it or forget it, they immediately know."

Arcot calls its solution ArcotOTP. Users can download the app for free from their phone's application store or marketplace. For people without smartphones, ArcotOTP can also be used via SMS.

Once the user has the app, the next step is to use the bank's Web site to provision the account. After that, anytime the user would enter a PIN—like at an ATM—he will instead pull out his phone, open the ArcotOTP application and enter a PIN. The application will then generate an OTP to input at the ATM to access the account.

There are several different technological approaches to generating OTPs, including time synchronization, mathematical algorithms based on a previous password and mathematical algorithms based on a challenge.

Time synchronization, often used with tokens, is based on a clock inside the token, mobile phone or other device that is synchronized with a clock in the proprietary authentication server. New passwords are generated based on the current time, rather than, or in addition to, the previous password or a secret key.

Mathematical algorithms based on a previous password use an initial seed password and generate passwords from that seed, usually using a one-way cryptographic hash function.

Challenge-response OTPs require the user to submit a response to a challenge. For example, it could require the user to input the value that the device has generated into the device itself. To avoid duplicates, an additional counter is usually involved, so if one happens to get the same challenge twice, this still results in different one-time passwords.

ArcotOTP supports multiple OTP algorithms, including those specified by EMV (the standard for the interoperation of IC cards and IC-capable point-of-sale terminals and ATMs for authenticating credit and debit card transactions) and the Initiative for Open Authentication (OATH). All OTP methods can be used on the same phone supporting multiple accounts.

"In one app, you can have multiple accounts from different providers using different algorithms," Reno said.

Keys associated with the accounts are stored in the ArcotOTP key container on the user's phone. The ArcotOTP keys are protected by Arcot's patented cryptographic camouflage key concealment technology, protecting them from brute force and dictionary attacks.

Reno said ArcotOTP is receiving a lot of interest from the financial community, and Arcot is in talks with both banks and payment networks to implement its solution in their infrastructure.