2007-08-09

One Time Passwords for Web Apps

I recently did some traveling through Europe, and as I did I encountered my fair share of Internet cafe's and sketchy net connections. In the Internet cafe's I worried about keyloggers, screen capture utilities and rootkits. On the sketchy net connections in hotels I was primarily concerned about sniffers on the wire. In all, I got to thinking about one time passwords for web applications, and why they seemingly don't exist. One of the things I started thinking was, many people have a cell phone. Why not replace your SecurID card with a cell phone? When you go to log onto a site from an untrusted location, have an option where users can check a box and enter in a pin instead of their password. Once successfully entered, a user receives a text message with a one time password they can use for a short duration of time. The user then uses their pin, along with the one time password to gain access to the site. This would be easy and inexpensive to implement as a web service that you could offer to third parties, so why has no one tackled this problem? If you know, let me know.

3 comments:

Jevo said...

There are a number of products on the market that do this. SecurID has one and Entrust had one. I think there are others out there now too. A few years ago there were a few solutions that worked with the text messaging feature of most cell phones, but the problem with that approach is coverage and latency.

Anonymous said...

Why don't you use TLS/SSL?
One simple (s) after http and you get rid of all your problems instantly. Without using a cell phone.
And if the site offers such a strange security feature as OTP per cell phone, well, it should at the very least support TLS/SSL.

Blake Matheny said...

I'm actually more concerned about things like key loggers than sniffers. When I was in Europe I regularly had to use a public internet terminal and a OTP would have been great.