How to securely distribute one-time password tokens

Ask the Expert

How to securely distribute one-time password tokens

What is the most secure way to handle distribution of one-time password (OTP) tokens in an organization?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

While issuing one-time password (OTP) tokens to your employees so they can access your systems does add an extra layer of protection, if those tokens aren't distributed properly, they can leave your systems open to an attack.

The biggest danger is either via unauthorized access by an employee, or worse, internal fraud. An unattended token can grant inappropriate access to someone else's account. And while the thief would still need the user's ID and password, they could easily obtain those.

The best way to prevent malicious token use is to educate employees on how to use them securely. Employees should be taught safe password practices, such as not writing them down and posting them by their desk. Employees should lock up their tokens or carry them when not in use. They should also lock their monitors when they get up from their desk, even if it is simply to get a cup of coffee or use the bathroom.

Distribute tokens from a central location or warehouse where they can be inventoried. Keep a record of all tokens received, as well as their serial numbers and apiece count. To verify that the right user received the right token, implement a policy that requires users to send inactive tokens to the help desk or to an online registration system to be activated. That way the help desk or online system can verify the user, ask for the token serial number and match it with the serial number of the sent token. Please keep in mind that the system you choose should depend on the size of your organization. For example, if you work for a large company, it's not a good idea to deluge the help desk with calls to activate tokens.

An alternate system can involve sending a new user an activation code by e-mail. Again, keep in mind that if you use this system only the activation code should be sent to the user. This will prevent theft of the token and its credentials. To activate the token, the code can be entered online at a predetermined registration site.

This was first published in February 2006