After witnessing a rise in online phishing attacks from last few years, IT researchers are constantly coming up with new and effective solutions. If we look back, passwords were enough to keep our private resources safe. But as the time passes, hackers improvise themselves and can compromise passwords easily.
How do you prefer to lock your main door, a lock with single layered or with two layered? Definitely, the lock with double layered protection because the chances of being attacked by a burglar are lower here than the single layered lock. The theory is same for the online resources. After seeing lots of phishing attacks, IT administrators came up with the idea of protecting entering gateways with two layer protection. They termed the method as “two-factor web authentication”.
As the name suggests the method requires two different factors to complete in order to authenticate. The method is based on a variety of technologies which the most prominent methods are one-time passwords (OTP) and public key infrastructure (PKI).
The article will explain what is the basic difference between the two and which one is best according to your need.
OTP is a very common term, we all are well aware of it. When we access net banking, before transferring amount we receive an OTP code on our registered mobile phone or on email. Only after entering that code we are able to transfer money.
OTP authentication is a form ‘symmetric authentication’. The OTP is generated on the authentication server which needs to be verified either on the hardware token or software token at the user’s possession. If the OTP matches at the both end, the authentication is successful and the user gets the permission to access services.
PKI authentication is a form ‘asymmetric authentication’. It relies on a pair of two types of keys- private encryption key and public encryption key. The keys are based on tokens such as USB tokens and smart cards designed to store encryption keys securely.
When a user authenticates to his private network server, the server issues a token let’s say ‘master’. The master is then signed to numerical format using user’s private encryption key. If there is a mathematical correlation or match between the two (the signed token and encrypted key), the authentication will be successful.
OTP authentication method does not require additional hardware as it is needed for PKI authentication. PKI authentication requires a hardware token for each user to keep their private encryption key secure.
Therefore, OTP authentication is traditionally more affordable, involves lower deployment cost. It also requires less time and effort.
Level of security
Although the OTP authentication with OTP apps provides sufficient level of security but to match higher level of assurance enterprises such as e-government and e-health are more dependent on PKI authentication format.
Friends, these are some of the basic difference between OTP and PKI mode of authentication. So, after analyzing the points mentioned above, comment your answer in the comment box, which one is your favorite out of two?