The something you have authentication factor refers to something you can physically hold. If you’re planning to take the Security+ exam, you should have a basic understanding of appropriate authentication factors. This includes using one-time passwords.
For example, can you answer this question?
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Tokens or Key Fobs
A token or key fob (sometimes simply called a fob) is an electronic device about the size of a remote key for a car. You can easily carry them in a pocket or purse, or connect them to a key chain. They include liquid crystal display (LCD) that displays a number that changes periodically, such as every 60 seconds. To differentiate them from logical tokens, they are sometimes called hardware tokens.
The token is synced with a server that knows what the number is at any moment. For example, at 9:01, the number displayed on the token may be 135792 and the server knows the number is 135792. At 9:02, the displayed number changes to something else and the server also knows the new number.
This number is a one-time use, rolling password. It isn’t useful to attackers for very long, even if they can discover it. For example, a shoulder surfing attacker may be able to look over someone’s shoulder and read the number. However, the number expires within the next 60 seconds and is replaced by another one-time password.
Users often use tokens to authenticate via a web site. They enter the number displayed in the token along with their username and password. This provides dual-factor authentication because the user must have something (the token) and know something (their password).
RSA sells RSA Secure ID, a popular token used for authentication. You can Google “Secure ID picture” to view many pictures of these tokens. Although RSA tokens are popular, other brands are available.
USB tokens include a USB connector and a smart chip. The smart chip typically stores a certificate similar to how smart cards store a certificate. In addition to being used for authentication, the embedded certificate supports the use of digital signatures.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
HMAC-based One-Time Passwords
HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and then uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight digits.
Imagine Bart needs to use HOTP for authentication. He requests a new HOTP number using a token or a software application. He can then use this number for authentication along with some other authentication method, such as a username and password. As soon as he uses it, the number expires. No one else is able to use it, and Bart cannot use it again either.
Here’s an interesting twist, though. A password created with HOTP remains valid until it’s used. Suppose Bart requested the HOTP number but then got distracted and never used it. What happens now? Theoretically, it remains usable forever. This presents a risk related to HOTP because other people can use the password if they discover it.
Time-based One-Time Passwords
A Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. Moreover, one-time passwords created with TOTP expire after 30 seconds.
One significant benefit of HOTP and TOTP is price. Hardware tokens that use these open source standards are significantly less expensive than tokens that use proprietary algorithms. Additionally, many software applications use these algorithms and they are freely available.
For example, the following figure shows the free VIP Access app created by Symantec and running on an iPad. It’s also available for many other tablets and smartphones. Once you configure it to work with a compatible authentication server, it creates a steady stream of one-time use passwords. The six-digit security code is the password, and the counter lets you know how much more time you have before it changes again.
VIP Access app
Similar to a hardware token, the user enters a username and password as the something you know factor, and then enters the security code from the app as the something you have factor. This provides dual-factor authentication. Many public web sites like eBay and PayPal support it, allowing many end users to implement dual-factor authentication as long as they have a smartphone or tablet device.
Remember this
HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time password that expires after 30 seconds.
Q. Your organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. CAC
D. Kerberos
Answer is B. A Time-based One-Time Password (TOTP) meets this requirement. Passwords created with TOTP expire after 30 seconds.
HMAC-based One-Time Password (HOTP) creates passwords that do not expire.
A Common Access Card (CAC) is a type of smart card, but it does not create passwords.
Kerberos uses tickets instead of passwords.
You might like to view the CAC, PIV, and Smart Card blog post to learn more about Something You Have factor of authentication.
