In 2004, Bill Gates predicted the death of password login systems. A survey conducted recently by Secure Ath supported his prediction - it demonstrated that 69% of IT decision markers responded that they would do away with passwords completely in the next five years. This trend is understandable, as the traditional password has some paradoxical problems: complicated ones are more secure yet easily forgotten, while short and simple passwords have high risks of being hacked.
An alternative to password that many companies have been leaning towards is time-based one-time password (TOTP). In two factor authentication system, the system would ask users to enter both their regular passwords and the TOTP to grant the access. TOTP is a temporary passcode which keeps on changing as time passes, and thus is safer and less vulnerable against replay attacks than regular passwords.
To ensure that each password is unique, TOTP is generated by an algorithm that uses the current time of day as one of its factors. An interesting fact is TOTP measures time in Unix time (roughtly the number of seconds that have passed since January 1, 1970 GMT - I just looked it up, right now it’s 1476488872 seconds!). Since this would cause a new code to be generated each second, a time step X=30 is defined by default, meaning a new code is only generated every 30 seconds so that users have enough time to type in the code after it has been generated (Jacob).
And just as how sometimes social network sites might ask you to confirm your account by entering a passcode sent to your phone, the SMS method is a popular option for two factor authentication system. The TOTP code would be sent to your smartphone or other devices. After the user types that code into the sever, the server would verify the one-time password and give you access to your account. So next time you have to find your phone to log into Gmail, Facebook or other secured accounts, remember how OTTP is an extra layer of protection for your passwords.
Works Cited: http://jacob.jkrall.net/totp/
http://blogs.forgerock.org/petermajor/2014/02/one-time-passwords-hotp-and-totp/
https://garbagecollected.org/2014/09/14/how-google-authenticator-works/
I think Time-based one-time passwords are very useful, because they provide us with additional security. Even if a user's traditional password is stolen or compromised, an attacker cannot gain access without the TOTP, which changes every 30 or 60 seconds.
ReplyDelete