New Developments in OTP Authentication Hardware
Despite the emergence of mobile-based authentication technologies and the convenience they offer, organisations concerned with security continue to embrace the humble One-Time Password (OTP) token and the security it brings.
The last few years have seen big moves in the digital security sector. While much focus has been placed on new, often mobile-based, authentication mechanisms, the traditional One-Time Password token (OTP token) is still proving itself to be a mainstay of the strong authentication market.
OTP Display Card - Credit card sized OTP token perfect for keeping in a wallet or purse
OTP key fob token
The convenience of software authentication apps, including OTP generators such as Google Authenticator, is obvious. Having an authentication app on the device you already carry avoids the need to carry extra hardware around with you. If you were to lose your phone chances are you will notice quite quickly.
But smartphones are open to numerous vulnerablites and attack vectors. Apps must store keying data locally and that can be compromised by devices becoming infected with malware, jailbroken or rooted.
You might be thinking at this point, "so what about SMS delivery of OTP codes?" Well, as documented in summer 2016, NIST no longer considers SMS a secure delivery mechanism for OTP codes due to the ease with which SMS messages can be captured.
These issues go a long way to explain why dedicated hardware OTP tokens are still in demand and why the industry is still buying them at pace.
With continued demand comes innovation. The newest development in the OTP world is the OTP display card - an OATH-compliant ISO 7810 ID-1 (credit card size) OTP token that is perfect for carrying in your wallet or purse. These OTP cards feature a high-contrast EPD (eInk) display, commonly found on e-readers such as the Amazon Kindle. In addition to this the new cards default to using SHA-256 in the HOTP/TOTP algorithms over the default SHA-1 used by older tokens.