Trying to underdtand 2 factor authentication

Evidently one-time passwords can be used in concert with tokens.

How does this work?

Thanks

A

Re: Trying to underdtand 2 factor authentication

"not_here.5.species8350@xoxy.net" writes:
> Evidently one-time passwords can be used in concert with tokens.
>
> How does this work?

from 3-factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor

* something you have
* something you know
* something you are

a hardware token can represent "something you have" technology and a
password can represent "something you know" technology. typically
multi-factor authentication is considered more secure because the
different factors have different/independent vulnerabilities
(i.e. pin/password considered countermeasure to lost/stolen token,
modulo not writing the pin/password on the token).

a couple old posts discussing one-time passwords implementation
and possible vulnerabilities/exploits
http://www.garlic.com/~lynn/2003n.html#1 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003n.html#2 public key vs passwd authentication?
http://www.garlic.com/~lynn/2003n.html#3 public key vs passwd authentication?

it is also possible to have a common vulnerability for different
factors. misc posts discussing "yes cards" exploit
http://www.garlic.com/~lynn/subintegrity.html#yescard

where the token validates using static data (effectively a kind of
pin/password). the static data can be skimmed and used to create a
counterfeit token. the "yes card" operation involves the
infrastructure validating the token ... and then asking the token if
the entered pin was correct. the counterfeit "yes cards" are
programmed to always answer "yes", regardless of what pin is entered.

however, it is possible that the way that the token validates itself
is via some sort of one-time password technology (as opposed to some
purely static data technology). in such a situation, the one-time
password isn't independent of the token ... it is equivalent to the
token (and therefor doesn't represent multi-factor authentication).

another possible variation is the token is used to transport
information used for authentication. in the "yes card" scenario, the
token was used for both transporting and verifying the user's PIN
.... however there wasn't an independent method of verifying that the
user actually knew the PIN ... which in turn invalidated the
assumption about multi-factor authentication having
different/independent vulnerabilities.

in the following reference discussion about electronic passports, the
token is used to carry personal information that can be used for
"something you are" authentication (guard checks the photo in the
token against a person's face). the issue here is a question about the
integrity of the information carried in the token (can it be
compromised or altered). however, the token itself doesn't really
represent any kind of "something you have" authentication (it purely
is used to carry the information for authentication)
http://www.garlic.com/~lynn/aadsm25.htm#32 On-card displays