What One-Time Passwords Could Do For Mobile
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/23/2012 | 6:46:36 AM
re: What One-Time Passwords Could Do For Mobile
I agree that this additional hardware is a huge problem. I don't see this catching on widely unless it can be integrated into all mobile devices including phones and tablets. Otherwise, it will fall by the wayside as just yet another security token device. Some companies might enforce a security policy that requires that you have it as their employee, like carrying a badge or keycard, but other than that, the reasons for carrying another device will never be compelling enough for the average user. On the other hand, what if it were integrated into something that can be inserted into all mobile devices, like a microSD card that can automatically use a combination button-press/biometric fingerprint scan on its host device to release the one-time password? However, in that case, the microSD tokens will be commonly lost as devices are stolen or someone forgets to remove their microSD card. Plus, it is unlikely that all mobile devices across all makers, models, and device types will allow such a common and freely available button-press/biometric scan API. Is it safe to say that this is strictly a business security solution?

--- Jonathon
User Rank: Apprentice
2/23/2012 | 6:43:29 AM
re: What One-Time Passwords Could Do For Mobile
Password and usersname which is must is good for the respective ids along with it this problem along the OTop gives a great struggle
User Rank: Strategist
2/23/2012 | 1:08:04 AM
re: What One-Time Passwords Could Do For Mobile
Re: app support. That's why Yubico's support for federated authentication systems and standards like OAuth and SAML are so important. Look at how many services are already tied to your Google, Twitter, Facebook, Windows Live or iTunes account. Most cloud services don't want to reinvent the user account/identity/authentication wheel and would rather just leverage what Google, Microsoft and Apple have already put together. If just a few of these (Google already does) support federated OTP, it could make a big difference.

User acceptance is a tougher issue, but dead simple devices like YubiKey certainly mitigate this. Having your ID stolen also tends to focus the mind. It's like the old saw that a conservative is a liberal who got mugged. As another commenter pointed out, smartphone-based biometrics might be another option, but unless these use the biometric with some sort of embedded TPM chip to generate a OTP, they're still subject to MITM and replay attacks.
User Rank: Apprentice
2/22/2012 | 5:02:23 PM
re: What One-Time Passwords Could Do For Mobile
Kurt, I liked your piece and its forward-looking perspective. You nailed it when you brought up the issue of users carrying an extra device for authentication - they won't! Gartner, and other analysts, along with user trials will attest to this fact. Mobile enables OOBA and voice biometrics (maybe facial too) and opens new frontiers in security.

Register for InformationWeek Newsletters
White Papers
Current Issue
2016 InformationWeek Elite 100
Our 28th annual ranking of the leading US users of business technology.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of June 19, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.