One-time and SMS passwords

On the Options -> Alternative Logins screen you can now create one-time password sets and SMS-able password sets. These are particularly useful if you’re using computers you might not trust (eg Internet cafes).

One-time password set

When you create a one-time password (OTP) set (make sure it’s only on a computer you know is secure), it will show you a screen with 100 randomly generated passwords. You should print out this screen, and then carry the piece of paper with you. Each time you need to login to your account, you use one of the passwords on the sheet. Once you use a password, you should cross it out because you won’t be able to use it again.

For extra security, you can also specify a “base password” when you create a OTP set. When you do that, you have to enter both the base password (something you know) and the OTP password (something you have) to login. This ensures that even if you loose the piece of paper with one-time passwords on it, it can’t be used.

SMS-able password set

Similar to the OTP password set, but rather than generating a set of one-time passwords to print out, it generates a new OTP to send to your mobile phone via SMS.

To initiate the SMS, you have to specify a “base password”, and when you use that password on the login screen it will send you an SMS with the one-time password to use to actually login.

Note that for this to work, you have to have purchased SMS credits for your account on the Options -> Purchase SMS credits screen.

OTP Session Changes

When you login using OTP passwords, your sessions are slightly altered. Normally sessions are two hours long, but that means the session will expire “two hours after the last action the user performed”. With an OTP session, the session will expire one hour after you login regardless of when your last action is. If your session expires while using the system, you can just login again using another OTP password to continue what you were doing.

Also when you create an OTP set, you can specify that the logins should be “restricted”. In that case, the interface is locked down so that none of the screens normally available on the Options screen are accessible, and no emails or files can be deleted.

Even in a non-restricted OTP login set, the password and/or backup email address can not be changed.

“1 hr” OTP passwords

There’s also the option of creating “1 hr” OTP or SMS-able passwords. The main difference with these is that you can login using the same password multiple times, but you can only use the password for one hour. Basically the first time you use it, the clock starts ticking. These are most useful for protocols that often generate multiple logins and where a true OTP just doesn’t work such as IMAP and DAV.