S 5.34 Use of one-time passwords

Initiation responsibility: Administrator, IT Security Officer

Implementation responsibility: Administrator

It is relatively easy to intercept passwords in networks where the passwords are transmitted in unencrypted form. In addition, implementation or protocol errors in the operating system and application software may even lead to the compromising of encrypted passwords.

For these reasons, the use of one-time passwords is recommended, i.e. passwords that must be changed after just one use. One-time passwords can be generated using software or hardware.

When using one-time passwords, the users must generate the one-time password on the local IT system or by a token, or read it from a list generated by the remote IT system that must be stored securely. The remote IT system must then verify the one-time password.

Tokens that generate one-time passwords are small, portable hardware components. They can come in the form of smart cards or devices that are similar to pocket calculators, for example. The user must first authenticate himself/herself to the token. After user authentication is complete, the token either authenticates itself automatically to the server or shows the user the one-time password to be entered on the client.

Since more and more sensitive information is only protected against unauthorised access using passwords, one-time password systems and hardware-based authentication methods are becoming increasingly important.

Since more and more sensitive information is only protected against unauthorised access using passwords, one-time password systems and hardware-based authentication methods are becoming increasingly important.

Many hardware-based systems also offer options for using single sign-on solutions. When single sign-on procedures are used, the users are not required to log in to every IT system or every application using a different password. Instead, the users log in to one IT system or a special portal and can then use additional applications or IT systems without having to authenticate themselves manually every time.

The use of hardware-based one-time password systems also makes many of the rules in safeguard S 2.11 Provisions governing the use of passwords, which need to be followed by every user, unnecessary, because they are enforced implicitly by the one-time password system.

Review questions:

• Has it been ensured that no reusable passwords are transmitted over the network in unencrypted form?