Overview : OTP authentication
OTPAuthenticate is the solution to monitor administrators’ authentications on stand alone computers when they are unconnected to the network. Made by certified security experts, OTPAuthenticate respects the spirit of the deep internal Windows security mechanisms and offers a user friendly interface.
General requirements
- Windows Vista / Windows 2008 or later (Windows XP or Windows 2003 can be supported on a case-by-case basis)
- A local user account (on a stand alone computer or a domain joined computer)
For Windows XP, 2003, these OS are supported only not joined to a domain. The Remote Desktop protocol (terminal services) is working without NLA authentication.
Secure Design
As most logon programs require user process authentication, this program is the only one which does the authentication inside of the security kernel of Windows (lsass.exe) : even when someone change offline the password of the account, the solution detects the problem and raise an alert.
Optionally, the solution can block the classic password authentication method.
Two methods of authentication are available:
- OTP
We implement the RFC 6238 and can adapt the algorithm depending on the customer requirements (for example add a control digit, includes a login, add more security with more digits and encoding them in ASCII85, …)
Each workstations MUST have a different secret to protect against a replay attack (the program records all OTP successful connections but the clock can be tampered) - Challenge response
A challenge is set and the response is computed using a shared secret. A symetric algorithm like (3DES, AES128, AES256, …) must be chosen. The longer the key size is, the longer the response to the challenge is.
An authenticator is built on a webserver or on a mobile phone application, as specified by our customer.