We are glad to announce two new models of programmable TOTP tokens, both in a small card (miniOTP-3) and in a keyfob form-factor (C301), now with restricted time sync.


About Token2
TOKEN2 Multifactor authentication products and services LTD (short name TOKEN2) is a multinational IT security company headquartered in Versoix, Switzerland, providing various security solutions, such as hardware tokens, a mobile application, TOTPRadius server, and Token2 Cloud API (two-factor authentication as a service)

What is multi-factor authentication?
Multi-factor authentification is currently one of the de-facto standards for systems requiring strong security. In most of the cases, multi-factor authentication is rather complex and not very user-friendly, as it requires additional steps as far as end-users are concerned: e.g. with two-factor authentication, in addition to entering a username and a password (usually considered as a first factor), users need to manually enter an additional code (second factor) that they either receive by text messages, look up in a previously printed list of passwords or generated by a hardware or software token.

Why is the time sync important?
The average time drift for TOTP hardware tokens may be up to 2 minutes per year… After a period of time (i.e. 1–2 years) some of the tokens may drift outside of the global synchronization window. A token that is not used very often is likely to drift even more beyond the synchronization window that an authentication server is using. In addition, organizations are afraid to keep a large stock of hardware tokens: a token that is not used at all will have its battery almost like new, but the time-drift will not allow using the token at all, which causes such investments to be completely unprotected. To address this issue, we have developed products that allow syncing the hardware clock using a special app


Our first tokens (miniOTP-2 and OTPC-P1) with time sync are available on our online shop since February 2019, the first models are created specifically for services like DUO or Okta, which are ignoring the RFC recommendations and are not automatically adjusting the time drift.

Unrestricted time sync


The time sync feature of first models with time sync is unrestricted, meaning that modifying the time of the tokens will not change the seed value, therefore there is a small risk of a replay attack, described below.

Replay attack details
Changing the time on a hardware token is not as simple as adjusting your wristwatch: there is a potential security risk (TOTP code replay attack) if it is only the system clock that is being changed. The code replay attack is quite easy to explain. Imagine a user being under attack and the attacker has access to the hardware token, even for a few minutes only. If we allow changing the time only, the attackers can set the time in the future and write down the OTP code the token generates. This process can be repeated a significant number of times, so the attacker would have, let’s say, 100 OTP codes that the victim’s token will display at certain times in the near (or far) future. Meanwhile, worth mentioning that the risk of such attacks is minimal and can be performed only if all of the following conditions are met:

  1. The first factor (username and password) is already known by the attackers
  2. Attackers have physical access to the hardware token
  3. Attackers can discreetly access the hardware token over NFC for a long period of time (i.e. 15–20 minutes are needed to set the time, generate a significant amount of future OTP codes and set the time back).

These conditions are relatively hard to be met and can be compared to a situation where a hardware token is stolen.

Restricted time sync


The new models are with restricted time sync, which means that setting the time will automatically clear the seed for security purposes (to avoid the risk of a replay attack). For the same reason, however, these models are not recommended to be used with systems not supporting time drift, such as DUO.

So, the main advantage of hardware tokens with restricted time sync is the possibility of enrolling them to RFC-compliant systems after a long period (i.e. you can buy the tokens today, and enroll in a few years after adjusting the time).

How to order?


Feel free to place an order online. Use the promo code HABR201904 to get a 5% discount.

Комментарии (2)


  1. PTM
    09.04.2019 08:00

    it would be great if you wrote why we need it. Token2


    1. Token2 Автор
      09.04.2019 10:14
      +1

      PTM Thanks a lot for the feedback. We actually did provide that info in the previous blog posts, but to make it easier to access, I have added the background info to this post (as spoilers).