Exotics : Paper Based MFA

theory history


Multifactor authentication is not always something complex and expensive. There are a number of implementations of two factor authentication systems that use a list of one-time passwords printed on a piece of paper. In this post, we will review two examples of such systems. The logic behind is quite simple, both server and client have a list of numbered passwords, and when logging in, the server chooses a password and prompts user to enter it.

One of examples of such a system is Perfect Paper Passwords. GRC's "Perfect Paper Passwords" (PPP) system is a straightforward, simple and secure implementation of a paper-based One Time Password (OTP) system. When used in conjunction with an account name & password, the individual "passcodes" contained on PPP's "passcards" serve as the second factor ("something you have") of a secure multi-factor authentication system.

High security multifactor authentication using a series of single-use "passcodes" does not need to be expensive. In fact, it can be free...

A similar approach is used in e-banking system of AzeriCard. In its implementation, the lists of passwords are being printed out from participant banks ATM machines. As per user instructions published on the website.

To connect to the "Internet Banking" system it is necessary to obtain a list of one-time passwords in any of the information kiosks or ATMs of the Bank. To do this, in the ATM menu, select "Payment", then "Services", then "A list of IB passwords”, and the machine will print out a list similar to the one shown below.

Although, the access to this list is secured with an additional factor of the banking card and its pin code, this can be regarded as another example of paper based strong authentication.

However, we would still advise to look for a real compromise between validity, cost, and the end-user convenience. In this particular example, the convenience of using paper based MFA is far from ideal.

This website is using cookies. By using this website you agree with our ToS That's Fine