The something you have authentication factor refers to something you can physically hold. If you’re planning to take the Security+ exam, you should have a basic understanding of appropriate authentication factors. This includes using one-time passwords.
For example, can you answer this question?
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Tokens or Key Fobs
A token or key fob (sometimes simply called a fob) is an electronic device about the size of a remote key for a car. You can easily carry them in a pocket or purse, or connect them to a key chain. They include liquid crystal display (LCD) that displays a number that changes periodically, such as every 60 seconds. To differentiate them from logical tokens, they are sometimes called hardware tokens.
The token is synced with a server that knows what the number is at any moment. For example, at 9:01, the number displayed on the token may be 135792 and the server knows the number is 135792. At 9:02, the displayed number changes to something else and the server also knows the new number.
This number is a one-time use, rolling password. It isn’t useful to attackers for very long, even if they can discover it. For example, a shoulder surfing attacker may be able to look over someone’s shoulder and read the number. However, the number expires within the next 60 seconds and is replaced by another one-time password.
Users often use tokens to authenticate via a web site. They enter the number displayed in the token along with their username and password. This provides dual-factor authentication because the user must have something (the token) and know something (their password).
RSA sells RSA Secure ID, a popular token used for authentication. You can Google “Secure ID picture” to view many pictures of these tokens. Although RSA tokens are popular, other brands are available.
USB tokens include a USB connector and a smart chip. The smart chip typically stores a certificate similar to how smart cards store a certificate. In addition to being used for authentication, the embedded certificate supports the use of digital signatures.
HMAC-based One-Time Passwords
HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight digits.
Imagine Bart needs to use HOTP for authentication. He requests a new HOTP number using a token or a software application. He can then use this number for authentication along with some other authentication method, such as a username and password. As soon as he uses it, the number expires. No one else is able to use it, and Bart cannot use it again either.
Here’s an interesting twist, though. A password created with HOTP remains valid until it’s used. Suppose Bart requested the HOTP number but then got distracted and never used it. What happens now? Theoretically, it remains usable forever. This presents a risk related to HOTP because other people can use the password if they discover it.
Time-based One-Time Passwords
A Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. Moreover, one-time passwords created with TOTP expire after 30 seconds.
One significant benefit of HOTP and TOTP is price. Hardware tokens that use these open source standards are significantly less expensive than tokens that use proprietary algorithms. Additionally, many software applications use these algorithms and they are freely available.
For example, the following figure shows the free VIP Access app created by Symantec and running on an iPad. It’s also available for many other tablets and smartphones. Once you configure it to work with a compatible authentication server, it creates a steady stream of one-time use passwords. The six-digit security code is the password, and the counter lets you know how much more time you have before it changes again.
VIP Access app
Similar to a hardware token, the user enters a username and password as the something you know factor, and then enters the security code from the app as the something you have factor. This provides dual-factor authentication. Many public web sites like eBay and PayPal support it, allowing many end users to implement dual-factor authentication as long as they have a smartphone or tablet device.
Remember this
HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time password that expires after 30 seconds.
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
Answer is B. A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds.
HMAC-based One-Time Password (HOTP) creates passwords that do not expire.
A Common Access Card (CAC) is a type of smart card, but it does not create passwords.
Kerberos uses tickets instead of passwords.
You might like to view the CAC, PIV, and Smart Card blog post to learn more about Something You Have factor of authentication.