Category Archives: OTP

Orcs in space, with one time passwords

My oldest son recently attended a games design summer camp (for 5-6 graders) and one of their tasks was to design a StarCraft level. As a result he become quite addicted to StarCraft as did my middle son. It’s very interesting watching your children take to a computer game that is older than they are.

So I was looking around the Blizzard site trying to find out when StarCraft 2 is going to be released, and I came across this, a one-time-password authentication token for securing your on-line game account for the various Blizzard games. It doesn’t explicitly say it, but I am guessing it’s SecureID, although there is the possibility it is an OATH based system.

I am sure that only a small percentage of gamers use it, but I was pretty impressed. Many financial sites still don’t offer OTP protection, but you can get it for your on-line gaming account.

It’s all a matter of consumer priorities, I guess.

Is there a security expert on-board the aircraft?

Here is an interesting strong AuthN application, inbound aircraft. Apparently Israel is going to roll out a strong AuthN system to verify the identity of the pilots for inbound aircraft. Details are sketchy, but apparently the pilots will carry some kind of OTP device. When challenged they must provide a OTP or be denied entry. Planes that approach after being denied entry will, apparently, be shot down.

This is intended to prevent a 9/11 style attack. There is speculation that there will be a may-day code that the pilots could use in a “gun to the head” scenario. Such a situation certainly presents some grim choices to the pilot. A hijacker who doesn’t want anyone to know about the hijacking is certainly not interested in negotiating a solution.

I assume that there would have to be some sort of pilot PIN number to unlock the OTP. That leads me to image a wild Airport-esque plot where the plucky passenger-hero has guess the PIN number of the pilot to land the aircraft.

(Mirrored from TalkBMC)

Consumer Keystroke Logger

Have passwords just been rendered unsafe for enterprises because of this? Keystroke loggers have been discussed in security circles for a while now but this is different. Previously you needed admin access to the box, or you had to physically hack into the keyboard internals.

If I understand the description, for just $200 someone with no particular computer expertise can discover any password typed into a specific computer. All he needs is unsupervised access to the physical box. Anyone who can enter a workplace off hours, or just be the first or last one there, can easily install this on a computer and start collecting passwords.

I can’t see any real defense for this while relying on passwords alone. The only defense I can think of is to add OTP or Biometric authentication to all office computers. Given all the issues around biometrics, an OTP is probably the best option.

One could even suspect EMC of being secretly behind this. Just kidding. Sort of.

No, really, I’m joking.

(Mirrored from TalkBMC)

New OATH Reference Architecture

OpenAuthentication.org has released an updated version (2.0) of the OATH Reference Architecture. There Reference Architecture is a blue print for an identity framework built with strong authentication in mind. If you are interested in identity management in general or strong authentication in particular you might find this interesting. The press release is here. You can get the reference architecture here (registration required).

(Mirrored from TalkBMC)