Paper Based One Time Password System

Simon Moore

Title	:	Paper Based One Time Password System
Originator	:	Dr S. W. Moore
Special Resources	:	(optional but desirable) an account on a machine which supports WWW CGI scripts

Background

Network security is a big issue within the University. The Computer Laboratory (T&R) prohibits remote access to its computers unless prior consent has been given. This is inconvenient.

A one time password system for rlogining into machine would probably be adequate. In commercial systems such a password is usually sourced using a device similar in shape, size and component complexity to a picket calculator. However, such a device costs a significant amount of money and can easily be lost.

Proposal

A paper based one time password system is proposed. The user of the system would carry around a single A4 sheet printed on both sides which forms a code book. This code "book" would be valid for, say, one month or 50 accesses which ever comes sooner. It could be used in the following challenge-response scenario:

user types "rlogin gateway-host -l userID"
machine asks for a conventional password which the user duly enters
machine replies with a series of alphanumerical quintuples
user looks up quintuples in the code book and responds accordingly

Time constraints could be added to this process. For example, the user may only be allowed three attempts to login per hour.

In case the user looses a code book there should be a mechanism to withdraw the book from circulation. This could be provided by a web page hooked to an appropriate CGI script.

The interface to code book generation could also be provided by a local web page. A large print two page code book might be desirable for those ocularly challenged. It would be reasonable to assume that local printing facilities are secure enough.

back to index