A password that is valid only for one session or transaction is known as a One Time Password mechanism. It helps in avoiding the risks of traditional or regular passwords. This method is used to detect a phishing attack.
Users can be authenticated with the encrypted security code. The security code delivers via a reliable communication protocol on demand.
Hence, the user database at the server-side matches a user’s name with its corresponding identity.
When a user wants to access the website, the server sends an encrypted security code to the user. The security code sends through the communication protocol.
So, when receipt of the encrypted security code the user has to decrypt that code. Then he has to login.
The security code is encrypted with the private key and decrypted with the public key. The decryption process is done by the user.
The admin process consisting of registration, involves the following steps.
The user must choose one login name. Then he/she has to fill all the required information fields. In that he/she should provide at least one type of personal contact information (E-mail address or Mobile number).
The website should list all the services that it uses, to deliver the security code. So that the user can choose the preferred service.
The use of a security question is not mandatory. It depends on the web site provider’s policy or the user’s wish.
How to implement the One Time Password mechanism?
The validation page is sent to the customer. The page contains the name of the login used by the web site.
The customer’s login name may new to the web site. In that case, the server asks permission to the customer to add the login name to the websites’ contact list.
Here, the login has been approved by both the web site and the customer. Then, the website sends an account validation message to the user. The website uses the designated communication channel to send it.
Next, the user starts the actual login process, by browsing the login page. The login page contains an input field for the customer’s login name and the CAPTCHA test.
If the user’s login name is not recognized by the website, it must be displayed in a page.
When the user’s account name is valid, the website checks the customer’s registered account. It then sends an acknowledgement to that account.
If the acknowledgement message is valid, the customer enters the assigned security code on the input page.
On receipt of the security code, the website has to check that. It makes sure that the customer submits the security code from exactly the same IP address as the customer requests to login
Security analysis of One Time Password mechanism
Other than phishing, this system avoids some of the attacks. The following are the attacks that trouble the websites:
(i) Denial of service attack
A denial of service could be launched against any part of the Internet connectivity and network infrastructure.
The website authenticates the customer, by asking him/her to input the security code already assigned by the website.
The customer authenticates the website by first checking the sender of the acknowledgement message.
(ii) IP Spoofing
In IP spoofing, the target computer will have attacks that resemble those generated from its own address. But, by faking the source IP address. It causing the Operating system like Windows to crash or lock up.
Here, restricts the locations that are able to launch the IP-Spoofing attacks. If the attacker uses the same IP address as the user in the same local network concurrently, the user can detect it.
The lifetime of the security code is only a few seconds. So, it is not possible for the attacker to login the protected website via the same IP address.
(iii) Server spoofing
In Windows 95 stations, the LANMAN authentication can be requested from the client by running the C2MYAZZ utility. In which the attacker uses to his benefit, by acting as the server during the user login sessions.
If the attacker is successful in tricking the client, then he will be able to read user login details from the network packets.
In this solution does not require a preset password to login, thereby avoiding password theft.
(iv) Man in the middle attack
An attacker may watch a session open on a network. Once authentication is over, he might attack the client system to disable it, and use IP spoofing to declare to be the client who was just authenticated and take the session.
In this solution, suppose the attacker discovers both the customer’s web account name and the security code for the current session.
Since the life span of the security code is very short, it would be of little use to the attacker.
Many organizations implement two-factor authentication on user accounts by relying on one-time passcodes sent via SMS.
One time Password approach would be deployed for websites requiring a high level of security. It would ultimately help in retaining the customer’s confidence in using web-based commerce. This is the website phishing detection.
Want even more resources..
Here’s a few links of favorite resources on this topic..