Campus ID News
Card, mobile credential, payment and security

One Time Password (OTP) generators generate major two-factor interest

CampusIDNews Staff   ||   Nov 30, 2005  ||   

By Marisa Torrieri, Contributing Editor

Today, most corporate banks in the U.S., Europe and Latin America use two-factor authentication techniques to minimize security risks. But soon, your average, ATM-carrying Joe will join them, as a new breed of products offering amplified security hit the mass market.

In response to the increase in Internet banking fraud, which spawned new semi-mandatory recommendations by the FFIEC [see other story], a growing number of vendors are making and marketing two-factor authentication products. Whether software- or hardware-based, these products offer additional security beyond the single factor, password-only authentication used by banks today. Two-factor authentication offers users an extra layer of security to online banking transactions.

While many types of two-factor authentication, such as Public Key Infrastructure (PKI) and biometrics, solve the problem of insecure transactions, it's something simpler that tops the hot list for 2006 – One-Time Password (OTP) Generators.

OTP generators range in size and shape – some are tokens, others can be carried on key chains, and others can be embedded into cell phones. Most, however, work in relatively the same way. A bank customer uses a pre-determined PIN code, in addition to a new password generated on the spot by the OTP generator, to retrieve money or other financial data.

"The reason they're really hot is that they're portable," says Doug Graham, a former RSA Security executive who is now a security analyst for BusinessEdge Solutions – a high-tech consulting firm. "I can take them from machine to machine."

OTPs have proven effective in curbing phishing and pharming, two growing practices by which fraud artists trick online users into revealing personal financial information.

Here's a look at just a few vendors on the banking authentication marketplace, and what they're offering financial institutions:


Paris-based Xiring was founded in 1998. It earned its biggest bragging rights in 2001, when it helped MasterCard to design the CAP (Chip Authentication Program) specification. Today, CAP is the norm in the industry, says Nigel Reavley, director of Xiring's banking business unit. The latest version of Xiring's flagship product – a one-time password generator called "Xi-Sign 4000," which is based on the CAP/EMV specification – is set to hit the U.S. next year.

A number of things make the "Xi-Sign" unique, says Reavley. It was the first to be certified by MasterCard as CAP compliant and use the CAP application, a software program within the smart card, to generate one time passwords. Other systems rely on proprietary systems to calculate the one time password or rely on a synchronized clock – but this creates issues and cost when the token is lost or desynchronized, he says.

For banks migrating to EMV, "(the Xi-Sign 4000) is a good investment since the card and PIN number exist already and the bank doesn't have to reinvest," Reavley says. Every transaction done on the Internet instead of in a branch saves the bank $1, so after ten transactions, the bank breaks even on the cost of the OTP generator. The cryptogram's server (which costs between $50,000 and $100,000 to run) is paid for after 100,000 transactions, he adds.

RSA Security

Bedford, Mass.-based RSA Security boasts a number of two-factor authentication products and a customer base of more than 19,000 around the world. Its flagship product is the RSA SecurID two-factor authentication token, a small device that fits on a keychain and displays a random, six-digit passcode that changes every 60 seconds.

The generated passcode is entered manually (typed), along with a user name and PIN, to access strongly protected Web sites and corporate resources, says John Worrall, vice president of worldwide marketing at RSA Security. What's great, adds Worrall, is that the user gets 40,000-plus password changes every month and doesn't have to remember a thing. The company also offers a USB-enabled RSA SecurID token, and software-based tokens that may be downloaded onto a user's laptop, cell phone or other mobile device. "In the past several years there has been an upswing in interest in two-factor authentication," Worrall says. "In the corporate world, we're seeing more companies that want to protect their network from the inside, and they've begun to roll out two-factor authentication in association with the Windows logon."


The Fremont, Calif.-based public company formerly known as ActivCard provides a number of hardware- and software-based OTP authentication products to clients such as M&T Bank, China Trust and Allied Irish Bank. Its hot OTP products include soft tokens and USB keys. The company also offers a suite of products for secure remote access. The name change reflects the company's desire to be known as a provider of more than smartcards, says Julian Lovelock, authentication product manager for ActivIdentity.

Aladdin Knowledge Systems

Chicago-based Aladdin's suite of eToken products hit the market five years ago to provide what it calls "strong authentication for online networks" for a number of security applications. The company recently released a new OTP product based on its popular eToken security software for businesses that want to go digital. Aladdin's OTP eToken is based on the eToken NG-OTP device, and when combined with the vendor's eToken management system, gives a company secure access to its network and applications in both connected mode (with the USB connection) and detached mode (with the one-time password). The difference between eToken and a standard OTP device, according to CEO Steve Langerock, is that the Aladdin eToken includes a smart chip, which can be used for encryption and storage of passwords and digital credentials. That means "you the user have to authenticate yourself to the device" before beginning online transactions, Langerock says.

StrikeForce Technologies: Two-factor authentication is great, but the cost to banks to upgrade antiquated security systems can be overwhelming, says George Waller, executive vice president of Edison, N.J.-based StrikeForce Technologies. To compete with the likes of security-industry stalwarts, five-year-old StrikeForce released a software-based OTP system to complete its ProtectID authentication platform.

ProtectID is a "hack proof," "out-of-band" authentication solution that uses two separate pathways to protect a person's identification, says Waller. The first pathway is the traditional one where the user name is sent to the domain or Web server. The second pathway, usually a phone, is used to transmit a passcode or pin code. Additionally, a user can generate a One Time Password on the spot via his or her mobile device, PDA or computer. The platform offers users 10 different authentication methods, and costs less than competitors' products, says Waller. Usually, it breaks down to about $3 per user for 100,000 users on a yearly basis, he adds.

Conclusions …

While OTPs aren't perfect (user data is still at risk, especially when it travels on public computers) they are smart investment for U.S. banks, consultant Graham says. Not only will they help banks earn high marks for being compliance with the FFIEC guidelines, they may help banks trying to woo customers with a high net worth. Such customers are likely more concerned with security, he says. And they may even provide a great advertising opportunity for banks wanting to brand OTPs with a particular logo, he adds.

"This [technology] has been available for a number of years," Graham says. "Banks are finally starting to realize that they have to do something stronger."

Subscribe to our weekly newsletter


Sheridan College onecard banner
Sep 21, 23 / ,

Interview: Sheridan College onecard manager details hugely successful mobile credential rollout

At the start of the fall term in 2022, the Sheridan College onecard office rolled out its new Mobile onecard. The Canadian institution serves 27,000 students across its three campuses in Ontario, so launching a project of this magnitude required careful planning and a well-orchestrated marketing effort to ensure success. CampusIDNews spoke with Aesha Brown, […]
University of Minnesota Twin Cities mascot
Sep 21, 23 /

Treasure hunt sends students in search of mascot’s lost campus card

At the University of Minnesota Twin Cities, the mission is to find Goldy’s U Card. On each of the institution’s three campuses, one of the mascot’s U Cards is hidden. Each undergraduate student that finds a card will receive a $100 reward. Finding the cards will not be easy. To help in the hunt, three […]
UX Tech event logo
Sep 19, 23 / ,

ColorID’s UX Tech event explores campus ID impact on user experience

We all want great user experiences for our cardholders and our system administrators, and advancements in technology are making this more possible than ever before. New credential and reader technologies are transforming the campus ID and with it the campus. The event is hosted and sponsored by UC Irvine, and will take place at the […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.