Paper Password Tokens

about | archive

[ 2007-November-14 20:25 ]

Due to the ease of capturing or brute-forcing passwords, many organizations that care about security are turning to two-factor authentication, where the user provides both "something they know," and "something they have." Typically, this is implemented by supplying both a password and a unique number from a security token. The user types both a password and a "random" number. If someone steals your password, they can't use it since they don't have the device. This provides better security, but now you need to purchase and distribute the physical devices. Here is a brilliant solution: paper password tokens. Instead of an electronic device, you have a credit card sized piece of paper with the tokens. Each time you log in, you type your password and the next token from the paper. When you run out, you print more cards. Implementations are available for SSH and PHP, among others. This is such a simple idea it is brilliant. It increases security without a lot of extra cost. Important note: two-factor authentication does not protect identity theft and fraud (part 2), but it does protect against passive and offline password attacks.

I've hacked up a very minimal implementation: