Search:
|
Browse by category:
|
|
Help our organization choose HMAC-based or time-based one time password (OTP) |
Rating:
|
|
Views: 2,013
Votes: 1
|
|
Customers usually come into the dilemma whether they should pick HMAC-based OTP or time-based OTP. In security's perspective, it looks as if HMAC-based OTP a more secure approach due to reason that replay attack is effectively eliminated. However, in actual use there are a couple of points we would like customers to know:
- HMAC-based OTP has the benefit being every OTP generated gets used and expired immediately as user successfully completes the strong authentication process. It also offers the flexibility for users to pre-generate a series of OTPs for use on the road, in case user does not really carry the token or in scenario the token is lost. However, this convenience also posts security hazards as chances crackers getting access to the token can do the same and impersonate the token owner's identity at later times.
- Our customer success stories tend to tell even though there is slim chance hackers can replay user passphrase and time-based OTP within the designated regeneration time window and potentially impersonate a user identity, time-based OTP is still the preferred approach in light of upfront token provisioning, management and day-to-day support. What disturbs our customers most having HMAC-based OTP deployed is, users would hit the regeneration button too many times by accident exceeding the threshold window. So from time to time security administrator has to assist in resynchronizing the counter at Bloombase Identity Manager console adding workload to the administration.
- The circuitry inside the shell of Bloombase Time-based tokens run round the clock generating OTPs on every predefined time interval. At the outside, the OTPs will never get displayed until user physically hits the activation button ensuring what-you-have factor, hence maximizing OTP privacy and authentication security to the next level.
|