This hashed version effectively hides the OTP, meaning that all benefits of using an OTP are lost. With all other authentication methods (CHAP, MS-CHAP, etc.) the RADIUS server gets a hashed version of the passwords. But the key benefit of PAP is that the RADIUS server gets a copy of the users’ password, and OTP. The password is, of course, encrypted “on the wire” so that no one else can see it. When PAP is used, the RADIUS client sends the password to the RADIUS server. This article explains how one-time tokens work, and why PAP is the only authentication protocol which can support them.
Specifically, only PAP makes it possible to incorporate OTPs or MFA into the authentication process. While one-time passwords are useful, the authentication method that is used to transmit the user’s credentials may not be compatible with the use of OTP. In network security, using a one-time token is common practice for activites such as signing into private networks through VPN.
The one-time token is usually supplied through an authentication app, or a small separate piece of hardware. Both these strategies can combine the username and password credentials with a one-time token as part of the sign-in process.
One-time passwords (OTP) and multi-factor authentication (MFA) are important mechanisms used to improve security.
0 kommentar(er)
