The username/password security scheme is considered very insecure for a number of reasons including ease of packet or keystroke sniffing, phishing attacks and other social engineering problems. Two factor authentication schemes add in another layer of security by having a user retrieve another password from an out of band source such as a password generating device (such as an OTP token) or SMS text.
Since this password constantly changes at timed intervals – it is nearly impossible for a would-be hacker to steal your username and password and log in without having this token.
These tokens are usually for-pay since they are a physical device, but with the recent increase in apps available for mobile devices many OTP providers are now offering free apps which take the place of a physical device.
Below are some of the more popular password generators that I have come across and sample screenshots of them in action:
One of the biggest providers of physical One Time Password tokens is Verisign. Their hardware tokens are low cost to the end user and are usable in a number of popular online sites including eBay, SalesForce, Box.net, Paypal and more. You can order a low cost ($5) key from Paypal, or as I have recently discovered, download a free mobile device app.
Verisign offers software for a wide variety of mobile devices, including iPhone, Android, Windows Mobile, Blackberry and more. Simply download the software and run the password generator program – on its first run a unique signature is generated and registered with VeriSign’s servers. Your device has a unique ID which you then register with your login on an external site.
After that whenever you open the program it will show you the current password to use during two-factor authentication. Easy.
Another big player in the Two-Factor Authentication field is RSA. RSA actually pioneer in the security field, originally patenting a method to encrypt communication channel data back in 1983 and releasing it open source in 2000.
Much like the VeriSign app, RSA has released its SecureID app free to iPhone, Blackberry, Windows Mobile and a few other platforms. Unfortunately, they have not released an app to the Android platform as of this publication date. You also much have an RSA solution in place to use the mobile OTP generator, this would come from your workplace, bank or any other login which may need to be secured.
RSA solutions are in widespread use across the world.
FireID is a startup in the two-factor authentication space. While new to the field, they have a really nice iPhone app. Their website states that they also support Blackberry, Android, Windows Mobile and Symbian devices, but I could not find any information on these products and I am not sure if they have been released yet.
They are definitely a company to keep your eye on.
ArcotOTP is another one time password generator. While being lesser known than the others, Arcot is an ‘up and coming’ company in this field, and counts the venerable Bruce Schneier as an advisor to the company. ArcotOTP is a proprietary technology where you will need use software which is tied into a ArcotOTP solution.
SafeNet provides a suite of different security and authentication solutions, and also have a nice range of OTP applications for multiple platforms including iPhone, Blackberry, Windows Mobile and SMS. Notably Android is missing from this list.
While not a comprehensive list of free mobile OTP generators the above does give you a good idea as to some of the major players in the field and the more popular solutions which do offer a mobile client rather than a hardware based token. There are many OTP providers out there, each with its own platform to secure logins.
VeriSign is probably the one that you will be most familiar with and has the most ecommerce adoption, since Paypal/eBay, Salesforce and other popular web apps use them. Which free app you would use is likely dictated by the websites you need to login to and which two-factor scheme they use.
Whichever your preferred method for implementing two factor authentication, these free apps point you towards some providers which have been progressive on the ‘convergence of the mobile device’ mindset, allowing you to forgo a separate token and use one device to increase your login security.
Let us know how easy you find these password generators to use, or what other security schemes you use to help secure your passwords.
[ As a postscript, I just wanted to point out that two-factor authentication has a gaping hole in it – a Man in the Middle attack is still able to defeat this authentication scheme. Basically, an attacker sits in between you (logging in) and the server, passing along your information to the legitimate server including the one time password. This is a fairly obscure security issue for the general consumer, so adding two factor authentication to your login processes does afford much greater security than a regular one factor scheme. ]
Image Credit : mikebaird.