NCSA One-Time Passwords (OTP) Project

Using OTP without your CrytoCard

Editor's note: I don't believe we actually want to support this feature of CrytoCards or publish it as such, but I leave these notes here for the time being

You don't need your token! Well, you don't need it all the time. This gets into some detail, but it's worth investigating, and I'll provide the example to get us started thinking about the implications:

I'm planning to take a trip and want to travel light. I know my destination has a couple secure [whatever that means to me] desktops with ssh2 and since I'll be swimming a lot at the pool, I'm not carrying the cryptocard. Instead I'll just make a list of responses on paper and take them with me. Here's my list: 

      0  211-6464
      1  873-1238
      2  256-7050
      3  556-7116
      4  043-7100
      5  100-4314
      6  276-1245
      7  133-4348
      8  571-0312
      9  993-5073
So I've got responses for 10 ssh sessions...should be enough for an overnight trip to IU. That list has some interesting usage rules. Here's what I've found so far.
  1. You have to use the reponses in ascending order. You can start anywhere on the list, but all previous responses are invalid. If I am swimming at the pool and only remember to login right before returning home, I can use response 9 and invalidate the rest of the list. The list is then useless if it falls into the hands of the bad guys.
  2. If you're using the credit-card token generator, you can answer challenges by typing them in after pressing the "dig-sig" button. Just enter the challenge and press "ent.". You'll see your responses are the exact responses shown on your paper list. In fact, they'll be generated in the same order as the paper list. This presents a pitfall to the credit card users. If they always answer challenges by keying them in, then later decide to switch to just the instant-password method, they'll need to generate sufficient passwords to "catch up" to where they would be had they been working from a paper list. If I change my mind and take my cryptocard with me on my trip and answer 10 challenges, the card will re-generate the list above if I then switch back to the simple method of pressing the password key. See rule 1 [you can never re-use a response].
  3. It would be possible for a group to still "share" an account by generating a list and having the members work from it. In fact, the group leader could even monitor list usage by keying a challenge into the token and observing how far down the list the response is shown. If the response were near the end of the list--it's time for a new list.
  4. The number of challenge responses that can be done is manner is configued to be 10 currently.