Vulnerability analysis and the practical implications of a server‐challenge‐based one‐time password system

Abstract

PurposeOne‐time password systems provide great strengths over conventional password systems: protection against over‐the‐shoulder, eavesdropping, replay, etc. The Grid Data Security authentication system is a server‐challenge‐based system. It has advantages over other one‐time password systems since it does not require pre‐installed software nor special devices to carry on. However, there are some weaknesses. The purpose of this paper is to analyze the weaknesses of the one‐time password system and provide practical guidelines for using the one‐time password system.Design/methodology/approachThis paper statistically analyzes the weakness of the Grid Data Security authentication system and simulates attacks to the system to confirm the discovered weakness. The paper also suggests ways to reduce the discovered vulnerability using mathematical formula and offers practical guideline for using the system. It also identifies the system's strength on access authentication on mobile communication.FindingsThe Grid Data Security authentication system which is a server‐challenge‐based one‐time password system has a great weakness when an attacker gains its user‐interface screen and its GridCode. The discovered vulnerability can be improved by changing cardinality of the GridCode. This paper creates a formula that can help a system manager to decide the security level and its required cardinality of GridCode and length of password. It also identifies the system's strengths on mobile communication.Originality/valueThe paper provides a practical tool for security managers to identify requirements of cardinality of GridCode and password length for certain levels of security.