Tag Archives: One-time passwords

One-Time passwords: What you need to know

Most of us have dozens of online accounts, each of which should have its own unique password. Remember them all can be a bit of a headache, which is why some people have turned to password managers.

However, events in the last few months have shown that not all password managers are entirely secure, leaving people at odds when it comes to securing their online lives.

One trend that has been steadily gaining momentum is that of the one-time password. Forget having to remember your login for each account and instead have a strong, unique password sent directly to you whenever you need to log in.

When you want access to your account, a link is sent to you via email, SMS or in app and that can be used to log in. No password required.

Yahoo! Become one of the first household names introduce one time passwords a few months ago and you can see my colleague Tony Anscombe’s views on their implementation on his blog.

More recently, blogging site Medium has just rolled out the feature. They believe that one-time passwords are stronger than traditional means of authentication as they explain on their blog:

It sounds counterintuitive, but this is actually more secure than a password-based system. On most services, if someone guesses or cracks your password, they gain access to your account until you change your password, which might not be for a long time. You might never know that they have access. With this email-only system:

  • You’re automatically notified when someone tries to sign in.
  • The sign in link expires after a short amount of time.
  • The sign in link can only be used once.

 

Medium

 

Are there any downsides?

One-time passwords do a great job to help avoid many of the common issues with real passwords such as:

  • Weak passwords
  • Reusing passwords across multiple sites
  • Writing passwords down
  • No warning when someone else has access to your password/account

 

There is some room for vulnerability in the current system.

Encryption – Emailing a link that can provide unlimited account access, should of course be done in an encrypted fashion. However, this isn’t always possible and transmitting it in plain-text over email or SMS could be a major security vulnerability.

Degrades security – A potential downfall for one-time passwords, especially with Mediums implementation, is that any one-time password account is only as secure as your authentication email account.

For example, it would be useless to manage every one of your online accounts with a one-time password, but only secure your email with a weak password (as many people do). Remember, your email password should be the strongest of all your passwords as it can hold the key to the rest of them. One-time passwords make this even more pertinent.

Forwarding – Obviously it is unlikely, but with the current implementations, anyone with the link would be able to access the account. If you forwarded an email by mistake or pasted the link in the wrong place, then this could leave you vulnerable.

Some verification that the link is being clicked within the correct email account would be an added bonus so that the link would be a big bonus.

 

Alternatives

So while it is up to you whether or not you want to secure your online accounts with one-time passwords, if you are looking to improve the security of your online accounts I can recommend deploying Two-Factor Authentication.

Two-Factor Authentication is perhaps the simplest way to prevent unauthorised access to your online accounts and is very low risk. For more information on Two-Factor Authentication, check out the video below:

Video

What Is Two Factor Authentication

How safe are one-time passwords?

Most people have dozens of passwords, for dozens of online accounts.  At times it can be tricky to remember them all, as best practice says they should all be slightly different.

If you’re one of these many people, Yahoo’s recent announcement may get you excited. Earlier in March, Yahoo revealed an innovative idea that would mean we never have to remember a password again.

The concept is very simple. By selecting to use one-time passwords in your account settings, the next time you login it will send a password to your phone that you can use to login in with via a SMS.

While this seems very convenient, is it secure?

Generally speaking, there are three types of authentication in use today

  • ID and Password
  • ID, Password, Verification Code (using SMS)
  • Two Factor authentication using ID, Password and another device providing a unique password

The Yahoo solution seems to be half way between the least secure option A and Option B.

Sending a password on demand to a device is a step in the right direction, but there may be other security risks involved when transmitting data over SMS and to a potentially unprotected device.

The phone may not have a passcode and could be infected with malware that reads the SMS. This could mean the email account and all the data inside gets compromised.

If you do want to enable one-time passwords, I would recommend you have both of these: a passcode and AVG AntiVirus for Android on the phone to keep yourself protected.

 

What would I do differently?

Using the mobile device to add another layer of security is a smart idea as most people have one. Most of us also use apps regularly and if you’re a Yahoo user then you probably have the Yahoo app.

I would change the delivery method of the password from SMS and instead deliver it, in an encrypted format, via their own app.

On top of this, the Yahoo app with this one-time passwords enabled should require the device to have PIN security.

This would mean that an attacker would need the ID, the phone and the PIN in order to access the account. The app could even go further and check for the presence of an Anti-Virus product to ensure that it’s being scanned regularly.

It could be that there are currently technical limitations with one-time passwords, and that in the future we’ll see a lot more secure and comprehensive process.

My top advice right now though is if you’re going to use this service then be sure to have a security app and a PIN on your phone so you can help ensure that the password is being sent to a secure device.

Follow me on Twitter @tonyatavg