No security by obscurity - why two factor authentication should be based on an open design

The recently reported security issue possibly compromising the security tokens sold by a major vendor of two factor authentication (2FA) solutions (Schneier, 2011) demonstrates the importance of the basic principle of using an open design for security solutions (Saltzer and Schroeder, 1974). In particular, the safety of such devices should not be based on the use of a secret algorithm or seed value to generate a sequence of one-time passwords (OTP) inside the security token. Instead, we argue in favour of using an open design using pre-generated sequences of OTP that are stored encrypted on the security token. Here, the safety of the solution only relies on the confidentiality of the decryption key and not the design of the solution itself. We illustrate our argumentation by describing a respective authentication scheme and a prototype based on an open design, the latter being used as the basis for the security analysis.