RSS feedThe purpose of a one-time password (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a computer account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the password, as is done with a one-time password, this risk can be greatly reduced.
From: http://en.wikipedia.org/
The “intranet-otp” package is used in ]project-open[ as an extension of the normal password-based authentication mechanism. OTPs allow in combination with (optional) SSL encryption for (reasonably) secure access to critical corporate resources even in untrusted environments and/or over untrusted channels.
A typical scenario for the "intranet-otp" is a traveling board member who needs to consult information about a customer at an Airport Internet Café.
The security mechanism of "intranet-otp" has been designed to deny a supposed hacker in the Internet Café to access the company system. For details and limitations please read the "security analysis" section further below.
The creation of the "intranet-otp" package has been motivated by a recurring conflict between security and user-friendliness:
The "intranet-otp" packages provides a new type of balance between these two requirements by combining a secure access method with a logic to limit the use of OTPs to privileged users accessing the application from the insecure Internet.
The
use of OTPs is enabled autotically for each user depending on the
privileges of the user and the connection channel (trusted Intranet
or untrusted Internet), according to the rules laid out above.
If the test is positive, the system will show the user an additional
screen (see below on the right) to enter the OTP.
The
system will lockout a user after multiple failed login attempts
(by default 3). After that, the use of OTPs for the user is blocked,
until the user himself (from a trusted network) or the administrator
creates a new OTP list for the user.
The system will print out a warning if there are less then 10 (default) OTPs left on a user's list. This way, the user can setup a new OTP list himself.
This
section is written for ]project-open[ users. It explains how users
and administrators can setup and change OTPs (self-service).
The "Administration" component on the user's home page contains a link "Update this user's OTP list".
A screen will appear with the actual list of OTPs and management options:
Create
a new OTP ListCreates a completely new list. Please print out the new list as soon as possible in order to get access to system. You may lock yourself out of the system if you don't save the list immediately.
This page shows the same list, but formatted in a way suitable to be printed.
Allows you to send the list to the OTP user.
