Adding Channel Binding for an Out-of-Band OTP Authentication Protocol in an Industrial Use-Case

One Time Passwords (OTPs) are used to increase the security of the authentication process of networked applications. Smartphone based OTP schemes already brought usable and affordable multi-factor authentication to web applications. These schemes are also a promising approach for authentication in industrial applications. This paper introduces an industrial remote maintenance use-case that uses a smartphone based OTP authentication scheme using Quick-Response (QR) codes. In addition to a main communication and password authentication channel, the proposed scheme requires an out-of-band communication channel to transmit OTPs via smartphone. While baseline security for the channels can be achieved with Transport Layer Security (TLS), Out-of-Band Authentication (OOBA) remains vulnerable to Man-in-the-Middle (MitM) attacks in environments where the authenticity of a communicating party cannot be guaranteed. In order to mitigate this problem, it is crucial to establish a secure channel association. The enhancement proposed in this paper thus cryptographically binds successful out-of-band OTP authentications to the previously established data-channel with the help of TLS channel binding. Recommendations include common TLS libraries that support this feature as well as further considerations for a secure implementation.