What is the difference between a synchronous and asynchronous password token?

A one-time password token (OTP token) is a security hardware device or software program that is capable of producing a single-use password or PIN passcode.

Nội dung chính Show

What are the two types of one
What is synchronous dynamic password token?
What makes synchronous token devices effective for security?
What is the difference between token and OTP?

One-time password tokens are often used as a part of two-factor and multifactor authentication. The use of one-time password tokens hardens a traditional ID and password system by adding another, dynamic credential.

Depending upon the vendor, an OTP token will generate a PIN synchronously or asynchronously. Synchronous tokens use a secret key and time to create a one-time password. Asynchronous tokens use a challenge-response authentication mechanism (CRAM).

In the past, OTP security tokens were usually pocket-size fobs with a small screen that displayed a number. The number changed every 30 or 60 seconds, depending on how the token is configured and the user entered his or her user name and password, plus the number displayed on the token.

Today, OTP tokens are often software-based, and the passcode generated by the token is displayed on the user's smartphone screen. Software tokens make it easier for mobile users to enter authentication information and not have to keep track of a separate piece of hardware.

This was last updated in December 2014

Next Steps

multifactor authentication is especially important when it comes to protecting enterprise data. Knowing how to secure one-time password tokens to implement them in an MFA scenario will keep corporate data safe in the long-run. Understand how to distribute OTP to employees so that systems aren’t left open for attack.

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Synchronous dynamic password token.

(Both B. Synchronous dynamic password token and C. Asynchronous password token may fit the description of the question, as it depends on product implementation. The suggested answer is the author’s best guess.)

An LCD implies the token generates one-time passwords dynamically, so static password token can be ruled out.
A keypad implies the token can support PIN code protection and challenge/response operations, so the challenge-response token can be eliminated.
Volatile memory implies no counter or no counter value is stored. Even though it depends on product implementation, the question author assumes a counter needs non-volatile memory when writing this question. This question is designed as a trigger to think about the difference between HOTP and TOTP.
A battery that must be replaced in three minutes implies a clock is maintained and no clock drifts.

Security Token

A security token or token, also known as an authenticator, is something you have to authenticate yourself to an authentication server. A token can be a physical or technical/logical container. It can be a badge, card, dongle, a piece of structural data, etc., you name it. What matters is the secret or data stored in the token.

An access token (SAML) or ID token (OpenID/OIDC) is a piece of structural data (XML in SAML, JSON in OIDC) describing facts (attributes) about a subject, also known as assertions. It is typically issued after authentication.
A one-time password (OTP) token is typically implemented as a physical device that generates passwords dynamically. It adds another authentication factor, something you have because the user knows nothing about the dynamically generated password but the one that he or she configured.

Subscriber authentication is performed by verifying that the claimant
controls one or more authenticators (called tokens in earlier versions of SP 800-63) associated with a given subscriber.
Source: NIST SP 800-63B

One-time password (OTP) Token

An OTP token generates a password dynamically for one-time use based on either time (synchronous) or sequence/counter (asynchronous). A clock reports the time to the OTP generator while the counter is stored in non-volatile memory (e.g., ) for the generation of the next password. Both the time-based OTP (TOTP) and counter-based OTP (HOTP) generators use the HMAC-SHA1 algorithm.

HOTP(K,C) = Truncate(HMAC-SHA-1(K,C)), K for Key and C for Counter
TOTP(K,T) = Truncate(HMAC-SHA-1(K,T)), K for Key and T for Time

OTP Token Products

HSBC Bank Security Dongle
HSBC Security key
OTP Token C200 (USBToken)
One-Time-Password Authentication Token c100 (ProteccionSoftware)
OTP Token User Manual (First Bank, Taiwan)
OTP Token (uOTP-2/Wosign)
Swivel OATH HOTP Hardware Token (Swivel)
Keypad Token (Gemalto)
One-Time Password (OTP) Tokens (Microcosm)

Reference

Secrecy
One-time password
Security token
FIPS 140-2 Certification and Common Criteria: Why It Matters…
An Introduction to FIPS 140-2 and Common Criteria
FIPS 140
FIPS 140-2
FIPS 140-3
One-Time Password (OTP) Hardware Token FAQs
SECURITY TOKEN
HOTP: An HMAC-Based One-Time Password Algorithm (RFC 4226)
TOTP: Time-Based One-Time Password Algorithm (RFC 6238)
OTP EPROM
Token Storage
counter to indicate hotp count
OTPs Explained

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

What are the two types of one

OTP tokens come in two types: event-based (HOTP) and time-based (TOTP).

What is synchronous dynamic password token?

Token used in a token device that generates passwords at fixed time intervals. Time interval tokens require that the clock of the authentication server and the token device be synchronized. The generated password is entered by the subject along with a PIN, passphrase, or password.

What makes synchronous token devices effective for security?

Synchronous tokens also generate an OTP, but NO CHALLENGE CODE OR OTHER USER INPUT IS REQUIRED. Instead of the user entering a challenge code, the sync token uses an internally-generated timestamp as input. That timestamp and a shared secret key are fed into an encryption algorithm to generate the OTP.

What is the difference between token and OTP?

A 6-digit response number with a lifetime of 30 seconds will appear on your security token. Please enter this number to authorize your transaction. One Time Password (OTP): It's a highly-secure automatically generated validation code, sent to your mobile phone, to authenticate you for a single transaction online.

s/key otp