Page 972 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 972

values of six to eight numbers. This is similar to the asynchronous

               dynamic passwords created by tokens. The HOTP value remains valid
               until used.

               TOTP The Time-based One-Time Password standard is similar to
               HOTP. However, it uses a timestamp and remains valid for a certain
               timeframe, such as 30 seconds. The TOTP password expires if the user
               doesn’t use within the timeframe. This is similar to the synchronous
               dynamic passwords used by tokens.

               Many online organizations use a combination of HOTP and TOTP and
               provide users with onetime passwords using two-step authentication.


               While this sounds secure, we frequently see a common vulnerability
               addressed by NIST. Specifically, SP 800-63B recommends that the
               code sent to the user’s smartphone should not be viewable until the
               user unlocks the phone. However, the code almost always appears as a
               notification without unlocking the phone.

               Another popular method of two-step authentication that many online

               websites use is an email challenge. When a user logs on, the website
               sends the user an email with a PIN. The user then needs to open the
               email and enter the PIN on the website. If the user can’t enter the PIN,
               the site blocks the user’s access. While an attacker may be able to
               obtain a user’s credentials after a data breach, the attacker probably
               cannot access the user’s email (unless the user has the same password
               for all accounts).




                  When a Second Factor May Not Be Secure


                  Adding a second factor is helpful when you want to limit the
                  impact of a stolen or cracked password, but what happens when
                  the second factor isn’t secure? That’s the concern that drove
                  updated NIST recommendations in SP 800.63B.


                  As discussed in this section, a numeric code sent to a smartphone
                  is a secure method. The reason is that the smartphone has a
                  subscriber identify module (SIM) card that uniquely identifies the
                  device. Devices with a SIM card receive messages over the public
                  switched telephone network (PSTN).
   967   968   969   970   971   972   973   974   975   976   977