Path: csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!nx01.iad01.newshosting.com!newshosting.com!news-out.readnews.com!transit3.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail From: "David Kerber" Subject: Re: OTP one time password Message-ID: X-Comment-To: comp.lang.java.security Newsgroups: comp.lang.java.security In-Reply-To: References: Content-Type: text/plain; charset=IBM437 Content-Transfer-Encoding: 8bit X-Gateway: time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92] Lines: 52 Date: Wed, 27 Apr 2011 16:08:32 GMT NNTP-Posting-Host: 96.60.20.240 X-Complaints-To: news@tds.net X-Trace: newsreading01.news.tds.net 1303920512 96.60.20.240 (Wed, 27 Apr 2011 11:08:32 CDT) NNTP-Posting-Date: Wed, 27 Apr 2011 11:08:32 CDT Organization: TDS.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.security:166 To: comp.lang.java.security In article , nowhere@a.com says... > Roedy Green wrote : > > I am curious about OTP fobs. My sister said they use them at work. > > She said she has to key a number that displays on the fob. This > > strikes me an unnecessary and just a source of error. Surely the fob > > could insert the password, but then why bother with the display? > > > > Is there some reason for keying it? It is just lazy software writing? > > You are thinking of USB? > > I can think of some reasons. > > Legacy - When these were invented, USB did not exist. And it would be > really awkward to plug the FOB into a serial port. > > If the s/w is on a USB key, then someone could potentially copy the s/w > without your knowledge. This would create secret duplicate key FOB. > > If I remember right, the FOBs do not have a replaceble battery. The > entire thing is sealed to prevent possible intrusions. > > A USB key would need an app on the user's computer to be able to read > the FOB. With a value you key in, any machine with a Web browser could > be used. > > > I understand it works by having a clock synched with the server to > > change passwords every 30 seconds or so. > > Yes that is how it works. And the server also allows the previous/next > password within a short window, in case the roll over is not exactly > synched. Often it also requires a user-know password in addition to the number on the fob, to ensure that just stealing the fob itself isn't enough to enable unauthorized users to get access. -- /~\ The ASCII \ / Ribbon Campaign X Against HTML / \ Email! Remove the ns_ from if replying by e-mail (but keep posts in the newsgroups if possible). --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24