Learn about One-Time Passwords in CISSP



Now, let’s discuss One-Time Passwords.

One-Time Passwords
As its name implies, a one-time password (OTP) is a password that is valid only once. This is usually seen whenever very strong password authentication is needed. The most common uses for OTP are for authenticating to VPN, and online Internet banking systems. When using one-time passwords, if someone gets access to your password, , he wouldn’t be able to exploit it, because simply it has expired. The same holds true for a hacker that could crack the password or obtain it in some way or another; the password will be useless for the same reason.

The tool used to generate one-time passwords is called Token. The token could be a small hardware device (as small as the phalanx of finger) that you can put in your key chain, or software token installed on the computer or smart phone.
When the user enters the one-time password just generated by the token, the password is forwarded to an authenticating server. This is where the password is checked, and the user’s authentication request is approved or rejected. For this process to work, both the token and the authenticating server should use the same algorithm for password generation. This way, at any moment in time, the same exact password is generated at both sides.
Based on the used algorithm, tokens are divided into two main types that will be described below.

Token Types
Tokens could be either synchronous or asynchronous.

Synchronous Tokens
In this type, both the token and the authenticating server are in sync using either time or counter.

Time-Based Tokens
Times-based tokens must have exactly the same time configuration as the authenticating server. This is crucial.
Both sides use an algorithm that depends on a function of time and a secret key. Given that time configuration is the same, and the secret key is shared, the password generated by the token at any moment, will be the same expected by the authentication server at the same moment.
If one of your friends is a system administrator, you may have noticed a small device in his key chain with digital display that keeps displaying and changing a number of digits (usually 6) every 30 seconds. This is a synchronous time-based token.

Counter-Based Tokens
In Counter-based tokens, both the token and the authenticating server maintain a counter, whose value besides a shared secret key are used to generate the one-time password.
This type of tokens requires one or more actions from the user before generating and displaying the one-time password. Usually the actions are pushing a power-on button, and in some types to enter a PIN number. The user action(s) will cause the token and the authenticating server to increment the counter.

Asynchronous Tokens
In this type, when the user initiates the connection, the authentication server sends a challenge (in the form of a random value) to the user. The user enters this challenge on the token’s numeric keypad. The token uses this value (challenge) to generate the one-time password, and then responds by displaying the generated password (response).

Software Tokens
Software tokens are software applications used to generate one-time passwords. They could be installed on computers or smart phones.
Using software tokens eliminates the need for carrying a hardware token. Software tokens are usually secured with a password.


A one-time password is a password that is valid for only one use, and for very limited short time.
Tokens that generate OTPs could be implemented in hardware or in software.
Tokens could be either synchronous or asynchronous.
Synchronous tokens could be time-based, or counter-based.

That is it for OTP and for authentication methods as well.
In the next article, we will talk about Access Control Models. That is an important topic to wait for; so, see you.


Please enter your comment!
Please enter your name here