Page 971 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 971
Some organizations use the same concepts but provide the PIN via a
software application running on the user’s device. As an example,
Symantec supports the VIP Access app. After it’s configured to work
with an authentication server, it sends a new six-digit PIN to the app
every 30 seconds.
Onetime Password Generators
Onetime passwords are dynamic passwords that change every time
they are used. They can be effective for security purposes, but most
people find it difficult to remember passwords that change so
frequently. Onetime password generators are token devices that
create passwords, making onetime passwords reasonable to
deploy. With token-device-based authentication systems, an
environment can benefit from the strength of onetime passwords
without relying on users to be able to memorize complex
passwords.
Two-Step Authentication
A trend that many online organizations are using is two-step
authentication. As an example, imagine that you do online banking
and log on with a username and password. Your bank recently
required you to provide your cell phone number. Now, when you log
on, the bank’s website indicates that it sent a text message to your
phone with a code. It then prompts you to enter the code to complete
the logon process. Sure enough, when you look at your smartphone
you see a six-digit numeric code. After entering it on the website,
you’re logged on.
In this scenario, your smartphone is effectively mimicking a hardware
token, making this two-factor authentication, though many
organizations such as Google call it two-step authentication. This
process typically takes advantage of one of the following standards.
HOTP The hash message authentication code (HMAC) includes a
hash function used by the HMAC-based One-Time Password (HOTP)
standard to create onetime passwords. It typically creates HOTP
