Steve Gibson of “GRC.com” has successfully implemented a very cool and extremely robust multi-factor authentication for his GRC employees who need access to an web admin console. He shares his implementation on a series of pod-casts found here. The cool thing about this form of authentication is that he assumes “perfect knowledge”. This means that Steve’s one-time password scheme is extremely secure. So secure, in fact, that if a keystroke logger residing on that machine is recording the keystrokes while a user attempts to log in - that information would not aid an in future attempts to log in. Most sites you visit that contain the typical user log-in, including your online banking site, would be vulnerable to a key stroke logger attack. That is because they require a password that is static. This means the password doesn’t change each time a user logs on. A key stroke logger would be able to identify your password as you type on the keyboard. Armed with this knowledge of your password the attacker can masquerade as you in a future log-on attempt. Another term for this attack vector is called a “replay attack”.In the Steve’s “PPP system” the four-character password, which is a passcode, is different each time the user logs on. There are 16,777,216 possible combinations for each passcode and since no passcode is ever reused, a replay attack would be impossible. The passwords are displayed on a credit card sized piece of paper that can be easily stored in one’s wallet. Steve uses some heavy duty encryption with a highly pseudo random 256 bit key to generate these series of passcodes. Each user will have a 256 bit key that will define the series. This key is stored on the server and the user doesn’t know this key. Another nice feature with this system is that the server will keep track of the passcodes of prior logons, and prompt the user for which passcode that it wants the user to enter. Each column is a letter and each row is a number, therefore the server might show “3E [1]:” so you would type in 5th column 3rd row on the first page. You can also print out your own passcode sheets and if you ever lose a sheet you can tell the server to forward you on to the next sheet, invalidating
the prior passcodes.

The PPP system was well received in the security community and some very practical open-source implementations were created. I downloaded and installed the PPP for PAM module, which allowed me to use PPP when I remote log-on to my MAC using SSH. Interestingly, Steve mentioned that when his employees log on using PPP they also supply a static password in addition to the PPP password. The reason behind this is that if the sheet of passcodes (something you have) got into the wrong hands they would be able to log in as you. However, they still need the static password that only you know, to log on.