OTP

OTP?
OTP stands for One Time Passwords.


Since in my previous blog entry on SMS Banking I used the term OTP, I had better provide an explanation here.  OTP is actually another method to protect users from the fraudulent activities happening regrading password authentication instances. One time passwords allow the user to use a password which is only valid for a single log-in. Afterwards, that password becomes invalid and a new password will be generated for the next log-in instance. OTPs are mostly used in services such as SMS Banking to reduce the risks involved in mobile transactions. This means that even if an intruder manages to record an OTP that was already used to log into a service or to conduct a transaction, he will not be able to make use of it since it will be no longer valid.


There are 3 ways of generating OTPs. The similarity of these 3 methods is that they use 'randomness' in the genneration of passwords using their alogrithms.
The 3 methods are,

• Based on time-synchronization

Time-sync will happen between the authentication server and the client providing the password (OTPs are valid only for a short period of time)

• Using a mathematical algorithm (previous password)

It will generate a new password based on the previous password (OTPs are a chain and must be used in a predefined order).

• Using a mathematical algorithm (challenge) 

Here, the new password will be based on a challenge (e.g., a random number chosen by the authentication server or transaction details) and/or a counter.


Users will be notified of these one time passwords via SMS, through OTP-generating software in mobile phones, special electronic tokens or printed paper. 


Even OTPs are vulnerable to potential attacks especially if it doesn't use an encrypting  method. Importantly, it is not advisable to involve a 3rd party when providing OTPs since it brings the risk of man-in-the-middle attack. So this method is still being constantly improved in order to provide security as well as convenience to the customer.