(Not) Hacking the Digipass Go 3 OTP Dongle

My bank moved to two factor authentication solution, and thus required me to purchase from them a Digipass Go 3 dongle in order to authenticate my transactions. To register my dongle I keyed-in a five-digit code they gave me, and also the key's serial number appearing on its back. Given that Go 3 utilizes an open authentication framework, and a published algorithm for generating the one time password (OTP), could I utilize the key and the numbers I keyed in, for using the key in my own applications, of for cloning the dongle in my mobile phone or palmtop?

It turns out that the answer is no. The one time password generator depends on a key that is shared between the dongle and the authenticating application. Specifically, the algorithm generates the OTP by encoding a moving factor (an increasing counter or a time value) with the shared secret as a key, using the SHA-1 keyed-hash message authentication code. The keys manufacturer, Vasco, pre-programs this shared key into the dongle, and also supplies a file with a copy of the shared key in encrypted form to the purchaser of the keys (in this case my bank). The serial number on the back of the key, is only used to lookup my key's shared secret in that file, and the activation number my bank supplied me with is probably only used to tie the specific key to my account. The shared key is hidden in my dongle and in my bank's database. Therefore, cloning the dongle or re-using it in other applications isn't possible.

The design of the dongle is sound. By not supplying me with the shared key the bank ensures that the dongle remains a "something I have" authentication method, and is not accidentally downgraded through inappropriate key management into "something I know". Still, this design means that I will end up with a separate dongle for each application using two factor authentication. As an engineer, I consider this to be a waste.

Comments   Toot! Tweet Share