This chapter will cover attacks against one-time password MFA solutions. These solutions have long been among the most popular types of MFA and are continuing to grow in popularity. This chapter will explain how these types of MFA solutions work, give some example attacks, and then cover various defenses to reduce the risk of successful attacks.

Introduction to OTP

One-time password (OTP) authentication solutions have been popular for decades and are based on a concept that many people believe to be the cryptographic Holy Grail solution for authentication.

The idea is that when a subject is asked to authenticate, they provide a seemingly random set of characters that is valid only for that one request and known or predictable only between the subject and the authentication system. Once used, it will never be generated or used again (i.e., the “one-time” part). So, even if an attacker learns a particular OTP, it will never work again on any other authentication session. Any successful future authentication challenges would use a different, unpredictable, code.

The never, nonrepeating claim of an OTP solution is only true of a conceptualized, perfect OTP solution. In a perfect world, the OTP would never be repeated. But the reality is that it's impossible to avoid repeating OTP characters given a long period of time, especially when the number of characters used is limited. For example, an OTP may use a core algorithm capable of generating trillions ...