[Информационная безопасность] EVVIS-QR1 USB Programmable TOTP hardware token

Автор Сообщение
news_bot ®

Стаж: 6 лет 9 месяцев
Сообщений: 27286

Создавать темы news_bot ® написал(а)
01-Авг-2020 23:33


Today, we are presenting a new type of TOTP hardware tokens — USB Programmable token that displays the OTP value as a QR code and also can send the current OTP value over USB as a part of its HID emulation feature.
What is EVVIS-QR1?
EVVIS-QR1 is a hardware device developed primarily for Electronic visit verification (EVV) information systems (hence the name). It is a standards-based TOTP hardware token that can also be programmed over USB. The OTP generated is shown on the display both as regular digits as well as a QR image. Both features (OTP shown as QR code and HID keyboard emulation) are intended to make it possible to minimize typos when entering the OTP.

What is EVV and why is it important?

SPL
Presence verification features are highly demanded in a number of industries, and one of the most demanded features for medical institutions for cases where different parties are contracted to periodically visit patients to provide services. This applies not only to external service providers but also to providers within the same institutions. Often, hospital systems provide services within an enterprise, demonstrating the level of interoperation abstraction within the same organization. Usual methods of presence verification are consisting of a simple paper-based schedule table where the service providers just put the current date and time and their signature. Being simple enough and easy to implement, this method, however, does not guarantee the accuracy, as the signatures on the paper are easy to back-date and/or forward date. Using TOTP as a verification mechanism for EVV is secure enough, but not very user friendly (as the OTP needs to be typed in manually) and quite error-prone. The method introduced with EVVIS-QR1 device will allow to securely implement presence verification using a special mobile application and a static hardware token displaying two-dimensional barcodes without the need to enter any data manually, thus avoiding human errors.

One-touch OTP Entry

EVVIS-QR1 device can send the OTP over USB thanks to HID emulation function built-in (Windows only). This will allow minimizing the user actions needed to authenticate with any 2FA-enabled system. You can configure the device to send the OTP digits together with 'Enter' keystroke (ASCII char 13) — this adds the convenience of minimizing user actions needed for logging on to a system (i.e. a Web login form with the second-factor field), as the pressing the Enter key on the keyboard will be emulated, and the form requesting the OTP will be submitted automatically without the need of clicking the submit button.
OTP shown as a QR image

The devices showing the OTP as QR code have the most potential of greatly improving user experience when a special app is used. This is perfect for TOTP based electronic verification systems.

This feature may slightly improve the user experience even with standard software (i.e. mobile Safari under iOS)

SPL
The process, illustrated on the figure below, is not only improving the speed of the process (even if slightly) but, more importantly, helps to avoid input errors when the OTP is typed in manually.
The speed of the process (yet to be evaluated and compared to manual input speed) can be further improved by leveraging the Shortcuts app functionality of modern iOS (v 12.0 and higher). A shortcut within this app is a quick way to get one or more tasks done with your apps. By creating a set of tasks using the Shortcuts app we can minimize the number of actions required to be done by the user to copy the OTP from the EVVIS device.

The figure below shows an example of tasks created with Shortcuts that merges 3 different user actions into one, namely:
1. Launching the QR reader
2. Getting the text encoded in the QR code
3. Copying the recognized text to the clipboard
will be replaced by one action: launching the Shortcut task only.


Where to buy?
You can purchase the device directly on our online shop. Use the promo code below to get a 10% discount: HABR9MAXEOFG (expires on 31/08/2020)
«While FIDO/FIDO2 is more secure why do you still produce TOTP devices?»
We love FIDO, but it needs more time to become widely adopted and supported. Our research is driven by customer needs, and TOTP is still in high demand. The main reason is that it is much easier to implement, therefore many authentication systems still rely on TOTP.
===========
Источник:
habr.com
===========

Похожие новости: Теги для поиска: #_informatsionnaja_bezopasnost (Информационная безопасность), #_totp_hardware_tokens, #_blog_kompanii_token2.com (
Блог компании Token2.com
)
, #_informatsionnaja_bezopasnost (
Информационная безопасность
)
Профиль  ЛС 
Показать сообщения:     

Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете голосовать в опросах
Вы не можете прикреплять файлы к сообщениям
Вы не можете скачивать файлы

Текущее время: 22-Ноя 18:54
Часовой пояс: UTC + 5