Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.lang.java.security > #166

Re: OTP one time password

From "David Kerber" <david.kerber@THRWHITE.remove-dii-this>
Subject Re: OTP one time password
Message-ID <MPG.232f3a8a699782989683@news.east.cox.net> (permalink)
Newsgroups comp.lang.java.security
References <mn.41a87d898c2cdc5c.70216@a.com>
Date 2011-04-27 16:08 +0000
Organization TDS.net

Show all headers | View raw

  To: comp.lang.java.security
In article <mn.41a87d898c2cdc5c.70216@a.com>, nowhere@a.com says...
> Roedy Green wrote :
> > I am curious about OTP fobs.  My sister said they use them at work.
> > She said she has to key a number that displays on the fob.  This
> > strikes me an unnecessary and just a source of error. Surely the fob
> > could insert the password, but then why bother with the display?
> >
> > Is there some reason for keying it?  It is just lazy software writing?
> 
> You are thinking of USB?
> 
> I can think of some reasons.
> 
> Legacy - When these were invented, USB did not exist. And it would be 
> really awkward to plug the FOB into a serial port.
> 
> If the s/w is on a USB key, then someone could potentially copy the s/w 
> without your knowledge. This would create secret duplicate key FOB.
> 
> If I remember right, the FOBs do not have a replaceble battery. The 
> entire thing is sealed to prevent possible intrusions.
> 
> A USB key would need an app on the user's computer to be able to read 
> the FOB. With a value you key in, any machine with a Web browser could 
> be used.
> 
> > I understand it works by having a clock synched with the server to
> > change passwords every 30 seconds or so.
> 
> Yes that is how it works. And the server also allows the previous/next 
> password within a short window, in case the roll over is not exactly 
> synched.

Often it also requires a user-know password in addition to the number on 
the fob, to ensure that just stealing the fob itself isn't enough to 
enable unauthorized users to get access.


-- 
/~\ The ASCII
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!

Remove the ns_ from if replying by e-mail (but keep posts in the 
newsgroups if possible).

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Find similar

Thread

OTP one time password "Roedy Green" <roedy.green@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: OTP one time password "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: OTP one time password "David Kerber" <david.kerber@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web