NCSA One-Time Passwords (OTP) Project

To help protect NCSA computing assets and core server machines, One Time Passwords are being used.

NCSA OTP reference sections:

• OTP users
• OTP client system administrators
• OTP support staff
• OTP server administrators

• OTP Statistics

One Time Password (OTP) authentication [RFC2289] can prevent attackers from using harvested names and passwords from compromised laptops, office and other machines to compromise user accounts or gain root access. Three types of machines are being protected:

• Public access - machines such as computing cluster user login nodes, which have multiple types of logins allowed from many users. On these machines root and certain administrative accounts can only be accessed through OTP authentication, but normal login methods can be used for accessing user accounts.
• Servers - machines such as file or mail servers that only administrators have access to. All user accounts are protected by OTP logins. Elevating to root privileges can be done in various ways, but logging into a user account using OTP authentication is required first.
• Critical - machines such as OTP and Kerberos authentication servers that have very limited access by only a handful of administrators. All access, including initial user logins and any elevations to root privileges require OTP authentication at each step along the way.

Related links:

• FNAL Strong Authentication web pages
• An Analysis of the CRYPTOCard RB-1 Hardware Token for Kerberos Preauthentication by Ken Hornstein

If you have any questions, please contact the NCSA help desk at help@ncsa.uiuc.edu

This page was last modified 10:16:48, September 09, 2005.