It is baffling that One Time Passwords (OTPs) and the derived ‘automated’ OTP standard OCRA are still widely used, despite better technology being available.
OTPs are probably best known from apps like Google Authenticator, which generate time-based 6-digit numbers. Earlier applications included hardware tokens that performed this task. OTPs rely on a symmetric secret, which both the generator (app or hardware token) and validator (server) need to store.
The OCRA protocol
On came OCRA (OATH Challenge-Response Algorithm – aka RFC 6287) in 2011. It never made any sense and should have never been written down as a standard, because:
- It encourages automating OTPs by performing a challenge-response authentication protocol that simply sends back an OTP. Even though the device must be connected to send back the response, OCRA recommends truncating it to 6 decimal digits by default. Why not send back the full response to rule out brute-forcing?
- In OCRA terminology an OTP suddenly becomes a ‘signature’, despite no signature being placed. This reminds us of banks using OTPs to ‘sign’ transactions. An OTP offers no non-repudiation, since the key to generate the OTP is not only known to the user. This means that OTPs can always be disputed, calling it a ‘signature’ does not change that.
This standard resulted in many mobile apps embedding an OTP library to perform authentication, hidden from the user.
Why was all this so successful in mobile apps?
Many organisations and suppliers already invested in hardware tokens for OTP. OCRA was an easy way to embed an OTP in a mobile app, without requiring changes to the backend.
Relying on outdated technology is a clear security risk, and even more so when used as the only factor. There are better solutions available, so it is your responsibility as an organisation to make sure that security is up to par by using them.
Biometrics to the rescue?
With the rise of biometric sensors on mobile devices, there is an excellent opportunity to beef up security. Obviously, a mobile app should support new biometric features on mobile devices.
However, instead of removing OCRA and using hardware-backed signatures, the next patch came in: storing the symmetric secret in the device keystore (or, alternatively, a PIN code securing the secret). So now, every time the user enters their biometric to authenticate with an app, the device keystore will output the symmetric secret. This secret is then then used in software to generate the OTP.
Users get a pleasant user experience and the impression that high security device features are used. In reality, symmetric secrets are being handled in software. And now fingers crossed that nobody will find out how weak your app’s security is?