OTP one time password
Roedy Green
I am curious about OTP fobs. My sister said they use them at work.
She said she has to key a number that displays on the fob. This
strikes me an unnecessary and just a source of error. Surely the fob
could insert the password, but then why bother with the display?
Is there some reason for keying it? It is just lazy software writing?
I understand it works by having a clock synched with the server to
change passwords every 30 seconds or so.
--
Roedy Green Canadian Mind Products
The Java Glossary
http://mindprod.com
---
* Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24
Wojtek
Roedy Green wrote :
> I am curious about OTP fobs. My sister said they use them at work.
> She said she has to key a number that displays on the fob. This
> strikes me an unnecessary and just a source of error. Surely the fob
> could insert the password, but then why bother with the display?
>
> Is there some reason for keying it? It is just lazy software writing?
You are thinking of USB?
I can think of some reasons.
Legacy - When these were invented, USB did not exist. And it would be
really awkward to plug the FOB into a serial port.
If the s/w is on a USB key, then someone could potentially copy the s/w
without your knowledge. This would create secret duplicate key FOB.
If I remember right, the FOBs do not have a replaceble battery. The
entire thing is sealed to prevent possible intrusions.
A USB key would need an app on the user's computer to be able to read
the FOB. With a value you key in, any machine with a Web browser could
be used.
> I understand it works by having a clock synched with the server to
> change passwords every 30 seconds or so.
Yes that is how it works. And the server also allows the previous/next
password within a short window, in case the roll over is not exactly
synched.
--
Wojtek :-)
David Kerber
In article <mn.41a87d898...@a.com>, now...@a.com says...
> Roedy Green wrote :
> > I am curious about OTP fobs. My sister said they use them at work.
> > She said she has to key a number that displays on the fob. This
> > strikes me an unnecessary and just a source of error. Surely the fob
> > could insert the password, but then why bother with the display?
> >
> > Is there some reason for keying it? It is just lazy software writing?
>
> You are thinking of USB?
>
> I can think of some reasons.
>
> Legacy - When these were invented, USB did not exist. And it would be
> really awkward to plug the FOB into a serial port.
>
> If the s/w is on a USB key, then someone could potentially copy the s/w
> without your knowledge. This would create secret duplicate key FOB.
>
> If I remember right, the FOBs do not have a replaceble battery. The
> entire thing is sealed to prevent possible intrusions.
>
> A USB key would need an app on the user's computer to be able to read
> the FOB. With a value you key in, any machine with a Web browser could
> be used.
>
> > I understand it works by having a clock synched with the server to
> > change passwords every 30 seconds or so.
>
> Yes that is how it works. And the server also allows the previous/next
> password within a short window, in case the roll over is not exactly
> synched.
Often it also requires a user-know password in addition to the number on
the fob, to ensure that just stealing the fob itself isn't enough to
enable unauthorized users to get access.
--
/~\ The ASCII
\ / Ribbon Campaign
X Against HTML
/ \ Email!
Remove the ns_ from if replying by e-mail (but keep posts in the
newsgroups if possible).