Digital Identities

1. 00:01Now we consider One-Time Passwords in our openHPI course about Digital Identities.
2. 00:07When we speak about password-based authentication,
3. 00:11we every time saw a question mark concerning the security, because
4. 00:17password-based authentication is not considered
5. 00:20secure enough and one needs to do a lot to use it in the right way.
6. 00:26But one possibility to really secure passwords for authentication is possible
7. 00:33by means of one-time passwords.
8. 00:36The idea behind such one-time passwords is exactly what the name
9. 00:40tells us: each password can only be used once for authentication,
10. 00:47after it is used it loses its validity.
11. 00:51So it makes no sense to look for this, to spy out, to use keyloggers,
12. 00:57all these kinds of attacks that we saw (in the previous chapter) to get the password in the
13. 01:02hand of an attacker, because after it is used it's no more usable for
14. 01:09authentication. Typically such one-time passwords are automatically and randomly
15. 01:16generated character strings
16. 01:18that are sent to a user over a second independent transmission channel.
17. 01:25Let's have a closer look at the provision of one-time passwords.
18. 01:30On the one side, it's a very secure way, on the other side for
19. 01:33each authentication we need a new password.
20. 01:36So, the challenge here is that both the user
21. 01:40as well as the authentication authority, the service or the
22. 01:45ID provider of that service must know which one-time password is valid
23. 01:51and which ones are already used.
24. 01:56To this challenge, there are two possible solutions: the one solution is
25. 02:00to work with password lists.
26. 02:04This is a list of valid one-time passwords
27. 02:08that's generated by the authentication authority and it is
28. 02:12transmitted to the user over a second secure transport channel,
29. 02:17it could not be sent over the internet because then everyone can,
30. 02:21every attacker can get access to it.
31. 02:23And you know this, for example, "TAN Lists" in
32. 02:30case of online banking, the "mTAN"
33. 02:34procedures and others, they are working on the basis of such password lists.
34. 02:40And then the second possibility to solve the challenge
35. 02:46is that both user and
36. 02:48the authentication authority needs to know which is valid and which
37. 02:53is an invalid password. It's the work with password generators:
38. 02:58password generators dynamically generate one-time passwords
39. 03:03that are only valid in a certain time span.
40. 03:10If we have a closer look at such password generators, then
41. 03:15these are small devices often called "tokens" or applications on your computer.
42. 03:22The password generators they produce one-time passwords by means of
43. 03:29special algorithms. These algorithms are known
44. 03:32to the authentication authority and
45. 03:37can be run in three different ways.
46. 03:42We can distinguish, Time-Controlled one-time password generator,
47. 03:48we can distinguish, Event-Driven generation of a one-time
48. 03:53password, and we can see the Challenge and Response-Controlled
49. 03:57generation of a password.
50. 03:59Let's have a closer look at these three possibilities because it's an interesting topic
51. 04:04that at a certain moment the user needs a new password to authenticate
52. 04:10for a service, for an online service, and the
53. 04:14authentication authority needs to know exactly this password
54. 04:19to give the user access or to prevent access.
55. 04:22The Time-Controlled one-time password generator works as following: The token
56. 04:28and authentication authority, a token is on the
57. 04:33side of the user, the authentication authority is on the side of the service,
58. 04:37they work synchronously.
59. 04:40Both sides calculate one-time passwords at the same time interval
60. 04:45which are valid until
61. 04:48the use or the next calculation iteration.
62. 04:53So, each time the token compute something, it is known by the
63. 04:59authentication authority and it's accepted but only for a very short time.
64. 05:05The authentication authority allows a certain time tolerance range,
65. 05:11as the clock in the token is not already 100% accurate.
66. 05:15So, both are based on the time, and exactly for this time span
67. 05:19around the systems on both sides, this one-time password is computed. An example,
68. 05:26here is the "Google Authenticator".
69. 05:32The google authenticator.
70. 05:34Here is such a token as in the RSA token and the google authenticator.
71. 05:42This RSA authenticator is used for the "SecurID"
72. 05:47approach. So, here on this device and on the other side, the same computation is done
73. 05:53starting from the time point, and google authenticator is another approach.
74. 06:00How is the one-time password created in case of Event-Controlled
75. 06:05one-time password generation?
76. 06:07The generation of a one time password here is triggered
77. 06:12by the user or by key-pressing or by pressing a key on a token,
78. 06:19then exactly at this moment the token and the authentication authority
79. 06:25remember the number of previously generated passwords.
80. 06:30The token generates a new one-time password,
81. 06:32and the authority knows that now a new
82. 06:36one-time password is used for authentication and in this way the
83. 06:41one-time password is known on the side of the user,
84. 06:45as well on the side of the authentication authority.
85. 06:48The calculation of the one-time password here is carried out
86. 06:52using previously generated passwords,
87. 06:56and also here the authentication authority allows a tolerance range,
88. 07:01just in case the user has not used
89. 07:04a generated password.
90. 07:07Then the third approach to solve this challenge is the Challenge-Response-Controlled
91. 07:14one-time password generation.
92. 07:16Here the user wants to authenticate him/herself and asks the authentication authority.
93. 07:24The procedure looks like the following: The authentication authority
94. 07:30sends - when the user is requesting, a random value to the token.
95. 07:37By the calculation algorithms that are also known to the
96. 07:41authentication authority, the token generates from the received input
97. 07:48a one-time password. Then the user sends the generated
98. 07:54one-time password to the authentication authority.
99. 07:58The authentication authority knows which was the initial value, they know the
100. 08:03algorithm and can do the calculation on the side
101. 08:09of the authentication service and then they can decide whether
102. 08:14the value, the one-time password is valid
103. 08:19or not, and if it's correct then the user is authenticated.
104. 08:24So, to summarize what we
105. 08:27have learned about such one-time passwords:
106. 08:32One-time passwords can only be used once as the name is saying.
107. 08:38Provision is done by means of a password list
108. 08:43or a password generator. And for the password generators, we can distinguish
109. 08:49between Time-controlled one-time password generation,
110. 08:53Event-Driven generation, and Challenge-Response-Controlled generation

To enable the transcript, please select a language in the video player settings menu.