Even when the user adheres to the recommendations of password length and complexity, in some cases, it is not enough to avoid password theft. When dealing with high-load web applications like Amazon or Facebook, one-time-password is a way to avoid keylogging attacks. Hideez Key created a reliable and tamper-resistant way to do this.
OTP generator is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTP generator avoids a number of outcomes that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two factor authentication by ensuring that the one-time password requires access to something a person has (such as a Hideez Key with the OTP generator built into it, or a cellphone) as well as something a person knows (such as a PIN).
The most important advantage that is addressed by Hideez Key is that, in contrast to traditional passwords, they are not vulnerable to replay attacks. This means that a hacker who manages to record an OTP that was already exposed to log into a service or to enforce a transaction will not be able to use it, since it will no longer be active. A number of OTP systems also aim to ensure that a session cannot easily be intercepted or impersonated without knowledge of unpredictable data created during the previous session, thus reducing the attack surface further.
OTP generation algorithms typically make use of pseudorandomness or randomness. This is necessary because otherwise it would be easy to predict future OTPs by observing previous ones. Concrete OTP algorithms vary greatly in their details. Various approaches for the generation of OTPs are listed below:
- Based on time-synchronization between the authentication server and the client providing the password (Hideez Key)
- Using a mathematical algorithm to generate a new password based on the previous password.
- Using a mathematical algorithm where the new password is based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.
There are also different ways to make the user aware of the next OTP to use. Some systems use special electronic security tokens that the user carries and that generate OTPs and show them using a small display. Other systems consist of software that runs on the user's mobile phone. Yet other systems generate OTPs on the server-side and send them to the user using an out-of-band channel such as SMS messaging. Finally, in some systems, OTPs are printed on paper that the user is required to carry.