Since the discovery of the ‘Heartbleed’ vulnerability in the open-source cryptography library OpenSSL (Which is used by approximately 17% of the world’s Secure HTTPS websites), it has meant there is a loophole whereby hackers can gain access to Usernames, Passwords, Private Keys and Session Cookies.
But this vulnerability can be nullified by the use of Two-Factor authentication, as provided by Celestix HOTPin tokenless 2FA. This is firstly because the HOTPin software does not use OpenSSL and secondly because HOTPin produces ‘One Time Passwords’ (OTPs) for users to authenticate their login. Therefore that password can only be used once hence protecting the user and host against a second use of that password by a hacker. This means that HOTPin is also able to provide protection when used in conjunction with equipment from other manufacturers that ‘are’ affected by Heartbleed.
Celestix Networks HOTPin authentication solution allows companies to embrace the use of smart devices in the workplace. By installing a soft token on a mobile device, it is transformed into a token capable of generating a OTP, that can be used to authenticate the user when working remotely. Celestix HOTPin can also simplify the authentication of remote users on devices that cannot utilize a soft token and for workers who may not own a corporate smart device such as contractors. HOTPin uses the GSM network to deliver OTPs via SMS and the email system for delivery of OTPs to an inbox or via an Instant Messenger. HOTPin client now supports QR codes. Users can scan the QR code and will be instantly logged in to the application in a secure manner
Celestix believes it shouldn’t be complicated and costly, but it should be secure and controlled. This is why HOTPin uses HOTP, a HMAC-based algorithm for generating OTPs. HOTP is an open standard that continues to receive extensive scrutiny from security industry experts and leading academics.
Some authentication products use time-based OTPs (leveraging a vendor assigned seed with the current time). HOTPin OTPs are event-based (using a key generated on-site by the IT manager in conjunction with a counter). As such, HOTPin OTPs are not susceptible to attacks that compromise the seed or predictable algorithms based on the current time.
