1. Field of the Invention
The present invention relates generally to the field of authentication and more particularly to the use of one-time passwords over unsecure networks.
2. Related Art
A one-time password (OTP) is a password that is valid for only one login session or transaction, as opposed to a static password that may be used repeatedly. A cybercriminal that manages to record an OTP as it is being used will not be able to reuse it to access the secured account since the OTP will be no longer valid. Since OTPs are not memorized and reused, OTPs must be generated in some secure fashion so that the person seeking a login session or transaction has access to the OTP that the host computing system is expecting.
In some systems, an OTP is generated by the host computing system, transmitted over a first channel, such as to a cellular phone using Short Message Service (SMS), and returned to the host computing system over a second channel, such as from a PC connected to the Internet. In other systems the person retains a physical device, known in the art as a token that is synchronized with the host computing system in some way, though they do not communicate. For instance, both can employ the same algorithm to generate the OTP based on the time and date as a seed. In both types of systems the use of the OTP can be time-limited; the OTP sent by the host computing system can be valid for only a short duration after transmission, and the OTP generated by the token can be valid only until a certain time.
Both authentication systems are considered two factor authentication systems where the factors are (1) something the user knows, specifically the OTP, and something the user has, either a token or a receiving device like a cellular phone. Because two-factor authentication additionally involves something the user has and, it is assumed, the criminal does not, two factor authentication is widely accepted to be more secure than conventional passwords.
Despite the security advantages of OTPs, two-factor methods employing OTPs can be defeated when used over unsecured networks. FIG. 1 illustrates two methods used by cybercriminals. Gaining access to the user's account starts by duping a user 100, employing a user computing system 110 having access to an unsecured network 120 such as the Internet, into accessing a criminally controlled website served by a criminal computing system 130. That website provides a login page that closely resembles the login page provided by a legitimate authentication computing system 140.
If the user 100 is fooled into believing that the website served by the criminal computing system 130 is actually that of the authentication computing system 140, the user 100 will attempt to login and unwittingly send a user ID to the criminal computing system 130. In those instances where the user 100 possesses a token 150, the user 100 will also provide the OTP with the user ID. The criminal computing system 130 then begins the login process with the user ID of the user 100. In those instances where the user 100 possesses the token 150, the criminal computing system 130 is able to complete the login to the user's account without further information from the user 100. To hide the criminal activity, the criminal computing system 130 can serve a response page back to the user computing system 110 after the user ID has been received indicating that the authentication computing system 140 is presently unavailable.
In those instances where the user 100 does not possess a token 150, the criminal computing system 130 provides the user ID to the authentication computing system 140 which generates and sends the OTP over a second channel to receiving device 160. The user 100 is expecting the OTP, and upon receipt enters the OTP into the user computing system 110 which communicates the OTP to the criminal computing system 130. The criminal computing system 130 then can complete the login to the user's account through the authentication computing system 140. As above, the criminal computing system 130 may respond with a misleading response page.