Randomly chosen OTPs

Jonas Elfström — Tue, 06 Feb 2007 16:59:00 +0100

In this post I hope to answer some questions I got about the one-time password protocol I described in "Trojans and one-time passwords".

The scenario is that the attacker has got at least one OTP by using a trojan or some other means.

Couldn't the attacker just reload the login page until he is asked to enter an OTP that he has?
- No, he could not. All decent login procedures has a max number of tries before blocking the account. Also the OTP is asked for in the page following the login-page and failure to enter or to enter a faulty OTP there should count as a failed login attempt.

Couldn't the trojan record all OTPs entered and then it knows it's only one left redirect the login attempt and then login itself with that OTP?
- This is a real concern. To counterfeit this you have to have more OTPs than you will actually use or the numbered list could go on and on and not begin from 1 for every new sheet of OTPs. In either way the trojan will have a hard time to find out how many OTPs there are left.

In theory you could also present the number of the OTP as a CAPTCHA but I would recommend against it for usability reasons and because it locks out people with certain disabilities.

Probability of success

Let's say the trojan has succeeded in getting hold of two OTPs. What is the probability that it will hit the correct OTP if the user has a list of 20, 50 and 200 OTPs and if three login tries are allowed?

20: (1-(18/20*17/19*16/18))*100 = 28.4%
50: (1-(48/50*47/49*46/48))*100 = 11.8%
200: (1-(198/200*197/199*196/198))*100 = 3.0%

This is why it is important to make it hard or impossible for the trojan to count how many OTPs there are left.

If you add a second round of OTP check like I suggested in my earlier post life gets a lot harder for Mallory.

Alice, Bob, and Mallory: Randomly chosen OTPs

Randomly chosen OTPs

Probability of success