One-Time passwords: What you need to know

Most of us have dozens of online accounts, each of which should have its own unique password. Remember them all can be a bit of a headache, which is why some people have turned to password managers.

However, events in the last few months have shown that not all password managers are entirely secure, leaving people at odds when it comes to securing their online lives.

One trend that has been steadily gaining momentum is that of the one-time password. Forget having to remember your login for each account and instead have a strong, unique password sent directly to you whenever you need to log in.

When you want access to your account, a link is sent to you via email, SMS or in app and that can be used to log in. No password required.

Yahoo! Become one of the first household names introduce one time passwords a few months ago and you can see my colleague Tony Anscombe’s views on their implementation on his blog.

More recently, blogging site Medium has just rolled out the feature. They believe that one-time passwords are stronger than traditional means of authentication as they explain on their blog:

It sounds counterintuitive, but this is actually more secure than a password-based system. On most services, if someone guesses or cracks your password, they gain access to your account until you change your password, which might not be for a long time. You might never know that they have access. With this email-only system:

  • You’re automatically notified when someone tries to sign in.
  • The sign in link expires after a short amount of time.
  • The sign in link can only be used once.

 

Medium

 

Are there any downsides?

One-time passwords do a great job to help avoid many of the common issues with real passwords such as:

  • Weak passwords
  • Reusing passwords across multiple sites
  • Writing passwords down
  • No warning when someone else has access to your password/account

 

There is some room for vulnerability in the current system.

Encryption – Emailing a link that can provide unlimited account access, should of course be done in an encrypted fashion. However, this isn’t always possible and transmitting it in plain-text over email or SMS could be a major security vulnerability.

Degrades security – A potential downfall for one-time passwords, especially with Mediums implementation, is that any one-time password account is only as secure as your authentication email account.

For example, it would be useless to manage every one of your online accounts with a one-time password, but only secure your email with a weak password (as many people do). Remember, your email password should be the strongest of all your passwords as it can hold the key to the rest of them. One-time passwords make this even more pertinent.

Forwarding – Obviously it is unlikely, but with the current implementations, anyone with the link would be able to access the account. If you forwarded an email by mistake or pasted the link in the wrong place, then this could leave you vulnerable.

Some verification that the link is being clicked within the correct email account would be an added bonus so that the link would be a big bonus.

 

Alternatives

So while it is up to you whether or not you want to secure your online accounts with one-time passwords, if you are looking to improve the security of your online accounts I can recommend deploying Two-Factor Authentication.

Two-Factor Authentication is perhaps the simplest way to prevent unauthorised access to your online accounts and is very low risk. For more information on Two-Factor Authentication, check out the video below:

Video

What Is Two Factor Authentication

Leave a Reply