Problem Analysis and Security Testing of One Time Password Technology

One Time Password (OTP) is an important component in several authentication systems, particularly for online banking systems. It is generally deployed as the second security layer to protect a system in case the main password has been compromised. However, OTP itself has a few vulnerabilities. Recently, there have been several news reports of attacks on online banking systems, even with the OTPs. Hence, in this paper, we analyze the potential problems of various OTPs. The analysis focuses on: (1) the pros/cons of each OTP type (i.e., Email OTP, SMS OTP, Token OTP and Mobile OTP), (2) the strength and weakness of OTP algorithms (such as Counter-based OTP, Time-based OTP and Challenge-Response OTP). Furthermore, testbed experiments have been done to study the potential attacks of OTPs. Finally, we present our solutions to solve the problems, and how to improve the OTPs.