Pinterest Stumbleupon Whatsapp
Ads by Google

password generatorsOne Time Password (OTP) tokens are typically considered the ultimate in useful consumer login security. They are a key part to using a Two-Factor Authentication system which drastically increases the security of a login from a typical username/password single factor system.

The username/password security scheme is considered very insecure for a number of reasons including ease of packet or keystroke sniffing, phishing attacks and other social engineering problems. Two factor authentication schemes add in another layer of security by having a user retrieve another password from an out of band source such as a password generating device (such as an OTP token) or SMS text.

Since this password constantly changes at timed intervals – it is nearly impossible for a would-be hacker to steal your username and password and log in without having this token.


These tokens are usually for-pay since they are a physical device, but with the recent increase in apps available for mobile devices many OTP providers are now offering free apps which take the place of a physical device.

Below are some of the more popular password generators that I have come across and sample screenshots of them in action:

VeriSign Identity Protection (VIP) Access For Mobile

password generators

Ads by Google

One of the biggest providers of physical One Time Password tokens is Verisign. Their hardware tokens are low cost to the end user and are usable in a number of popular online sites including eBay, SalesForce, Box.net, Paypal and more. You can order a low cost ($5) key from Paypal, or as I have recently discovered, download a free mobile device app.

Verisign offers software for a wide variety of mobile devices, including iPhone, Android, Windows Mobile, Blackberry and more. Simply download the software and run the password generator program – on its first run a unique signature is generated and registered with VeriSign’s servers. Your device has a unique ID which you then register with your login on an external site.

After that whenever you open the program it will show you the current password to use during two-factor authentication. Easy.

RSA SecureID

online password generators

Another big player in the Two-Factor Authentication field is RSA. RSA actually pioneer in the security field, originally patenting a method to encrypt communication channel data back in 1983 and releasing it open source in 2000.

Much like the VeriSign app, RSA has released its SecureID app free to iPhone, Blackberry, Windows Mobile and a few other platforms. Unfortunately, they have not released an app to the Android platform as of this publication date. You also much have an RSA solution in place to use the mobile OTP generator, this would come from your workplace, bank or any other login which may need to be secured.

RSA solutions are in widespread use across the world.

FireID

online password generators

FireID is a startup in the two-factor authentication space. While new to the field, they have a really nice iPhone app. Their website states that they also support Blackberry, Android, Windows Mobile and Symbian devices, but I could not find any information on these products and I am not sure if they have been released yet.

They are definitely a company to keep your eye on.

ArcotOTP

online password generators

ArcotOTP is another one time password generator. While being lesser known than the others, Arcot is an ‘up and coming’ company in this field, and counts the venerable Bruce Schneier as an advisor to the company. ArcotOTP is a proprietary technology where you will need use software which is tied into a ArcotOTP solution.

SafeNet MobilePASS

password generators

SafeNet provides a suite of different security and authentication solutions, and also have a nice range of OTP applications for multiple platforms including iPhone, Blackberry, Windows Mobile and SMS. Notably Android is missing from this list.

While not a comprehensive list of free mobile OTP generators the above does give you a good idea as to some of the major players in the field and the more popular solutions which do offer a mobile client rather than a hardware based token. There are many OTP providers out there, each with its own platform to secure logins.

VeriSign is probably the one that you will be most familiar with and has the most ecommerce adoption, since Paypal/eBay, Salesforce and other popular web apps use them. Which free app you would use is likely dictated by the websites you need to login to and which two-factor scheme they use.

Whichever your preferred method for implementing two factor authentication, these free apps point you towards some providers which have been progressive on the ‘convergence of the mobile device’ mindset, allowing you to forgo a separate token and use one device to increase your login security.

Let us know how easy you find these password generators to use, or what other security schemes you use to help secure your passwords.

[ As a postscript, I just wanted to point out that two-factor authentication has a gaping hole in it – a Man in the Middle attack is still able to defeat this authentication scheme. Basically, an attacker sits in between you (logging in) and the server, passing along your information to the legitimate server including the one time password. This is a fairly obscure security issue for the general consumer, so adding two factor authentication to your login processes does afford much greater security than a regular one factor scheme. ]

Image Credit : mikebaird.

  1. frank james
    August 26, 2015 at 2:07 pm

    How can I block or divert OTP ? Is there any software to break OTP and divert from registered mobile number to another number?

  2. nishant raj
    November 20, 2010 at 8:33 pm

    passwords can be managed by password manager
    http://xrgblog.blogspot.com

  3. Wr Boergao
    November 15, 2010 at 2:44 am

    I forget the password frequently.

  4. Wr Boergao
    November 15, 2010 at 2:42 am

    Really? Do you have the windows password product like Password Genius?

  5. Wr Boergao
    November 15, 2010 at 3:42 am

    Really? Do you have the windows password product like Password Genius?

  6. vikram sareen
    September 10, 2010 at 6:08 pm

    hi dave,

    apologies for not reading the footer.

    yes you are right. we do two form of additional authentication above and beyond OTP. the two approaches are -
    1. out of band authentication - use entirely a different channel to send the transaction details for both alerting the user and user to approve or reject it. infact we are the only company that has non repudiaiton enforced mobile out of band authentication and also patented (virtual out of band) through any web browser.

    2. sign what you need? where user sees something and enters challenge into the CR token (hardware or software) to sign (MAC) it. this is also a good solution but it is little more effort for the user.

    are u working on any projects that involve strong authentication? then i would love to work with u to provide right solution.

    actividentity also uses our soft token as a OEM reseller.

    regards,
    vikram
    http://www.facebook.com/vikram.sareen

  7. Dave Drager
    September 8, 2010 at 2:55 pm

    Thanks for responding.

    As I mentioned in the footer, OTP does not protect against Man in the Middle attacks. Then again, it is hard for any solution to protect against a man in the middle attack, if the attacker has full knowledge of the target website. These OTP generators do protect mostly against phishing attacks which I would think comprise most of the problems that a 'common' user has with bank or other private security login.

    I am curious, how does your product enhance security with regard to 'MITM' attacks? Does it sign the to & from data to ensure integrity?

  8. Dave Drager
    September 8, 2010 at 12:55 pm

    Thanks for responding.

    As I mentioned in the footer, OTP does not protect against Man in the Middle attacks. Then again, it is hard for any solution to protect against a man in the middle attack, if the attacker has full knowledge of the target website. These OTP generators do protect mostly against phishing attacks which I would think comprise most of the problems that a 'common' user has with bank or other private security login.

    I am curious, how does your product enhance security with regard to 'MITM' attacks? Does it sign the to & from data to ensure integrity?

    • vikram sareen
      September 10, 2010 at 4:08 pm

      hi dave,

      apologies for not reading the footer.

      yes you are right. we do two form of additional authentication above and beyond OTP. the two approaches are -
      1. out of band authentication - use entirely a different channel to send the transaction details for both alerting the user and user to approve or reject it. infact we are the only company that has non repudiaiton enforced mobile out of band authentication and also patented (virtual out of band) through any web browser.

      2. sign what you need? where user sees something and enters challenge into the CR token (hardware or software) to sign (MAC) it. this is also a good solution but it is little more effort for the user.

      are u working on any projects that involve strong authentication? then i would love to work with u to provide right solution.

      actividentity also uses our soft token as a OEM reseller.

      regards,
      vikram
      http://www.facebook.com/vikram.sareen

    • shiva
      May 4, 2015 at 5:10 am

      sir can i get this project source code

  9. vikram sareen
    September 7, 2010 at 5:34 am

    First and foremost, the OTP does not portect agianst MITM and Trojan attack. This form of security is cracked and MITM attacks are a reality.

    Banks and Commerce portal need to made aware of these by the above mentioned vendors.

    We at EZMCOM have a better and strong authentication that is using combination of OTP and Mutual Authentication (along with Out of band) authentication factors to ensure higher grade of protection. Security that protects from MITM and trojan attacks also.

    reagrds,
    vikram
    http://www.ezmcom.com

Leave a Reply

Your email address will not be published. Required fields are marked *