«Please enter the code within the next two minutes.» The concept of one-time passwords (OTPs) has become a mainstay in our procedures for secure user verification in sensitive applications, such as government and financial .
«Please enter the code within the next two minutes.» The concept of one-time passwords (OTPs) has become a mainstay in our procedures for secure user verification in sensitive applications, such as government and financial services. Typically found in multi-factor authentication schemes, a standard OTP resists hacking attempts by imposing a time limit for users to input the given password.
However, in the face of increasing cyberthreats, current OTP protocols will be slowly rendered obsolete. Designing a better protocol to enforce the security and privacy of user information is no mean task.
Professor Zhou Jianying from the Singapore University of Technology and Design (SUTD) and his collaborators recently proposed a new scheme that addresses some of the shortcomings of existing OTP methods. Findings from this study are published in the paper «Dynamic group time-based one-time passwords,» in IEEE Transactions on Information Forensics and Security.
There are several standard approaches to implementing OTP schemes. One approach, dubbed RFC 6238, stores symmetric keys to generate these transient passcodes which are supposed to be shared with the institution’s server. Another, the Lamport’81 scheme, requires the user device and server to have separate password verification keys.
However, each approach comes with its own vulnerabilities—RFC 6238 is vulnerable to breaches to the server, while the Lamport’81 scheme cannot prevent the malicious tracking of each user’s identity.
