This article is part 3 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).
The following criteria are used for comparison:
- Equipment and infrastructure: Costs and benefits
- Ease of deployment: Portability, proprietary limitations, and distribution considerations
- Ease of loss replacement: Steps needed for a user to begin anew
- Vulnerabilities: Process, hardware, or software weaknesses
- Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts
Hardware-based OTP for PSD2 SCA
SCENARIO: Your company decides to use hardware-based OTP, which requires them to spend time designing and installing a server bank to accommodate the mass of users it will manage. Thousands of tiny key fobs are issued across your company, and you are told that replacing them is not simple—and that the fobs are not cheap. Just as with SMS OTP, using a hardware OTP requires you to type the number it displays into a field. Except in this case the number is generated by the hardware fob instead of being transmitted across an SMS network. Once you enter the number, the website, which is connected to the issuing server, verifies the entered number is acceptable, and grants access appropriately.
ANALYSIS: An OTP fob satisfies the possession and knowledge factors of MFA, but is still subject to phishing and man-in-the-middle (MiTM) attacks, as the code must still be typed or copied into a web page field.
Security Tokens, the simplest form of Hardware OTP, start at minimum deploying a server that uses the same algorithm as the tokens. This method requires users to have a separate token for each authenticating entity. Smart cards build on this by adding a unique, non-reusable code during each interaction, and they can be integrated after deploying a PKI—no small task or cost.
Each increase in complexity drives the cost higher, and adding PKI almost guarantees a proprietary token scheme. Replacement costs for a misplaced fob or smart card are high enough to factor it into a cost-benefit analysis considering how many users you have, making Hardware OTP one of the most expensive and costly-to-manage options available. Registering a new user requires the sponsoring company to buy a new fob, keep extras in storage, or maintain a facility for creating new fobs. To make matters worse, fobs are often proprietary, locking you into only one option for replacement.
Regardless of the type of fob, the extraction process for matching numbers on the server side has been found to be vulnerable to predictability in OTP generation. This issue can be solved by using pre-generated, static OTPs which are issued in hard form to the user, and stored for later use. If you have ever been asked to write down eight or ten sets of number and character combinations and store them for emergencies, this is an example of pre-generated static OTPs, and is considered among the more secure OTP methods.
Again, expect 8–12 seconds to complete this step—perhaps longer if your fob is not NFC- or Bluetooth-enabled, and the OTP must be manually input, versus using contacts as a gesture/proof of physical presence—even more if a PIN code is needed for access.
- Equipment and infrastructure: $$$: PKI (server farm) + fob/smart cards; proprietary
- Ease of deployment: Extreme: infrastructure is in the name PKI for a reason
- Ease of loss/replacement: Hard: unique keys generated for each fob/smart card
- Vulnerabilities: Keys can be predictable in software iterations
- Convenience/speed: 8-12s+ with possible typing and PIN
StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.