A bank is evaluating two models of one-time password tokens for multi-factor authentication. Both models have a button, an LCD, volatile memory, and a battery, but no keypad. Model A uses a non-replaceable battery, while the battery of Model B must be replaced in three minutes if the low battery. Which of the following token types is most likely implemented by Model A? (Source: Wentz QOTD)
A. Static password token
B. Synchronous dynamic password token
C. Asynchronous password token
D. Challenge-response token
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Synchronous dynamic password token.
(Both B. Synchronous dynamic password token and C. Asynchronous password token may fit the description of the question, as it depends on product implementation. The suggested answer is the author’s best guess.)
- An LCD implies the token generates one-time passwords dynamically, so static password token can be ruled out.
- A keypad implies the token can support PIN code protection and challenge/response operations, so the challenge-response token can be eliminated.
- Volatile memory implies no counter or no counter value is stored. Even though it depends on product implementation, the question author assumes a counter needs non-volatile memory when writing this question. This question is designed as a trigger to think about the difference between HOTP and TOTP.
- A battery that must be replaced in three minutes implies a clock is maintained and no clock drifts.
A security token or token, also known as an authenticator, is something you have to authenticate yourself to an authentication server. A token can be a physical or technical/logical container. It can be a badge, card, dongle, a piece of structural data, etc., you name it. What matters is the secret or data stored in the token.
- An access token (SAML) or ID token (OpenID/OIDC) is a piece of structural data (XML in SAML, JSON in OIDC) describing facts (attributes) about a subject, also known as assertions. It is typically issued after authentication.
- A one-time password (OTP) token is typically implemented as a physical device that generates passwords dynamically. It adds another authentication factor, something you have because the user knows nothing about the dynamically generated password but the one that he or she configured.
Subscriber authentication is performed by verifying that the claimant
controls one or more authenticators (called tokens in earlier versions of SP 800-63) associated with a given subscriber.
Source: NIST SP 800-63B
One-time password (OTP) Token
An OTP token generates a password dynamically for one-time use based on either time (synchronous) or sequence/counter (asynchronous). A clock reports the time to the OTP generator while the counter is stored in non-volatile memory (e.g., ) for the generation of the next password. Both the time-based OTP (TOTP) and counter-based OTP (HOTP) generators use the HMAC-SHA1 algorithm.
- HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)), K for Key and C for Counter
- TOTP(K,T) = Truncate(HMAC-SHA-1(K,T)), K for Key and T for Time
OTP Token Products
- HSBC Bank Security Dongle
- HSBC Security key
- OTP Token C200 (USBToken)
- One-Time-Password Authentication Token c100 (ProteccionSoftware)
- OTP Token User Manual (First Bank, Taiwan)
- OTP Token (uOTP-2/Wosign)
- Swivel OATH HOTP Hardware Token (Swivel)
- Keypad Token (Gemalto)
- One-Time Password (OTP) Tokens (Microcosm)
- One-time password
- Security token
- FIPS 140-2 Certification and Common Criteria: Why It Matters…
- An Introduction to FIPS 140-2 and Common Criteria
- FIPS 140
- FIPS 140-2
- FIPS 140-3
- One-Time Password (OTP) Hardware Token FAQs
- SECURITY TOKEN
- HOTP: An HMAC-Based One-Time Password Algorithm (RFC 4226)
- TOTP: Time-Based One-Time Password Algorithm (RFC 6238)
- OTP EPROM
- Token Storage
- counter to indicate hotp count
- OTPs Explained
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.