Is stand-alone one-time password less secure than OTP + traditional password auth?

Not necessarily. This is a scheme where you don't want to store a password for the user. Sometimes, this is done so that the user doesn't need to remember yet another password (in fact, there are users heavily relying on resetting the password every time, which produces a similar email-only "passsord").

There are also other parts surrounding this system that need to be taken into account:

  • Suppose we authenticate Alice by sending a SMS code to her phone. Eve is hanging out with her and, while Alice is away leaving her locked phone unattended, Eve logs in as Alice, reads the provided OTP code in the lock screen and performs malicious action. In this case OTP-only would be weaker, as an additional password would have prevented this attack.

  • SMS-only or email-only login mean that compromising such external service will immediately compromise your site account. See eg. Hackers Are Hijacking Phone Numbers And Breaking Into Email, Bank Accounts

  • Consider on the other hand that we require both a password from the user and that they have access to the email. We may consider that more secure than just requiring an email token. But then, how are you providing account recovery when the user forgets its password? Just by sending an email? Then the password doesn't provide additional security from an attacker that compromised your email.

  • Local token generation (like TOTP), are more robust against a third party compromising the service used as login. But phones (where people install them) break / are robbed and get changed much more often that you expect. So you still need to be able to allow some way of recovery for that.

The part I like most about not requiring a password is that it can sustain phishing easily:

  • Alice goes into the company.com and enters its username. The website sends her an email with a link to log in. At that point the opened page is no longer used. She goes to her email and browses from the safe link provided to her. Thus, a fake website can't lure her to provide an email code, to a phishing page, since navigation continues from the emailed link.
  • An attacker could send a fake email with a phishing link, but there arwould be no credentials to harvest there (hopefully, it won't make her enter their credit card details on the "just logged in page").

(Note that albeit less 'natural', you could do the same by requiring the password after following the link, or forcing to close the page after successfully providing the password, and continue on the link.)

Tags:

One Time Password

Multi Factor

Related

How do universities and schools securely sync passwords between multiple services? Why check your email in haveibeenpwned rather than regularly changing your password regardless of any leaks? Should ports be visible to nmap? Why is breach-detection site "Have I Been Pwned" considered safe? Proprietary RF Protocol Security Is the data between a keyboard and a web browser secure from local computer applications? As an end user, what risk is there in browsing a public website that uses TLSv1? How to connect a Raspberry Pi IDS to the home router to detect intrusions network wide? Is it worth storing email addresses as hashes? Let's Encrypt is based in the US and subject to US laws How does full disk encryption cater for overprovisoned disk space in flash devices and can this result in data leakage? Does the destruction of sensitive information limit the choice of hard drives to non-flash based devices?

Recent Posts