The thing About One Time Passwords... It is Not Secure Enough
An OTP, or One Time Password, is becoming quite a fashion these days. There are many ways to generate OTPs, and a swarm of security companies have sprung up, each offering a different variant of One Time Password technology.
This is not surprising, as even Google has awakened to the concept of OTP in securing users from phishing attacks for Google Docs and other access points.
And the herd mentality follows.
No doubt, OTP-based two factor authentication is far more secure than single factor authentication and is also cheaper.
But, is it really secure enough to thwart the efforts of dedicated hackers who have broken into highly secured government and defense enterprises deploying even far more secured solutions?
I do not think so.
OTP is equally vulnerable because the action remains on the same device that the first layer of authentication occurs (username and password).
For example, if a victim's computer is already vulnerable to key-loggers and other malware that can track what the victim is keying-in, and also take action based on the victim's activity, even a one time password would fail.
The following case scenario explain how the vulnerability occurs:
The victim enters the username and password and clicks on the button to generate the one time password. The OTP either appears on a proprietary device or is sent as an SMS to their cellphone.
The page where the victim has to enter first factor credentials is already being tracked and that information captured. Then the victim enters the OTP in the field provided and the malware detects this activity and then disconnects the victim.
Before this, it has already captured both factors of authentication credentials.
This information can now be used by the hacker to access the victim's account from another computer, and switch off the two factor authentication option as well as change the first factor credentials - the username and password.
By the time all this happens and the victim connects and tries to sign in again, he cannot as his account has already been hijacked.
There are other social engineering scenarios that could do the same thing, such as if the victim receives a phone call before he clicks on the sign in button and is caused to move away from the computer, etc.
People who write sophisticated malware know a lot more tricks that can defeat what OTP security solutions offer.