Experimental Study of DIGIPASS GO3 and the Security of Authentication

Based on the analysis of $6$-digit one-time passwords(OTP) generated by DIGIPASS GO3 we were able to reconstruct the synchronisation system of the token, the OTP generating algorithm and the verification protocol in details essential for an attack. The OTPs are more predictable than expected. A forgery attack is described. We argue the attack success probability is $8^{-5}$. That is much higher than $10^{-6}$ which may be expected if all the digits are independent and uniformly distributed. Under natural assumptions even in a relatively small bank or company with $10^4$ customers the number of compromised accounts during a year may be more than $100$.

💡 Research Summary

The paper presents a thorough experimental investigation of the one‑time passwords (OTPs) generated by the DIGIPASS GO3 hardware token, a device widely deployed in banks and enterprises worldwide. By repeatedly pressing a single token while recording the exact timestamps, the authors collected thousands of six‑digit OTPs and analyzed their statistical properties.

The first digit of each OTP (denoted a) is not a random component at all; it serves as a synchronization marker that reflects the elapsed time between successive OTP generations. The token divides time into 64‑second “steps”. If the real time difference Δt between two OTPs falls into the interval 64·A ± 64 seconds, the leftmost digit changes by A or A ± 1 modulo 10. This behavior can be expressed by a function f(tₗ, tₖ) that, for any pair of generation times, returns either ⌊Δt/64⌋ − 1 or ⌊Δt/64⌋. Consequently, when Δt is close to an exact multiple of 64 seconds, the first digit is almost certainly predictable.

The remaining five digits (b–f) are derived from a 20‑bit pseudo‑random string produced by the token’s secret key. The string is split into five 4‑bit blocks; each block is interpreted as a number 0‑15 and reduced modulo 10 to obtain a decimal digit. Because a 4‑bit block is uniformly distributed, the resulting decimal digit has a non‑uniform distribution: digits 0‑5 appear with probability 1/8, while digits 6‑9 appear with probability 1/16. The authors verified this by counting occurrences in 814 distinct OTPs (Table 3), confirming the theoretical expectation.

Armed with these observations, the authors devise a forgery attack. An adversary who knows the user’s static credentials (or can obtain them via malware) proceeds as follows:

1. Estimate the current time t (or the time t′ when the latest OTP reaches the server).
2. Compute the expected first digit a from the time interval using the function f.
3. Randomly choose five digits from the set {0,1,2,3,4,5} (each with probability 1/8).
4. Assemble the six‑digit OTP a b c d e f and submit it to the authentication server.

Since the server’s verification protocol only checks that the first digit matches the synchronization counter and that the encrypted five‑digit part equals Eₖ(A) (where A is the internal counter derived from the initial secret and the time step), the attacker does not need to know the secret key. The success probability of a single trial is therefore (1/8)⁵ = 8⁻⁵ ≈ 3.05 × 10⁻⁵, which is roughly thirty times larger than the naïve 10⁻⁶ probability that would hold if all six digits were independent and uniformly random.

The paper also reconstructs the server‑side verification protocol. The server accepts OTPs arriving within a 480‑second window (8 minutes). It computes the time‑step count B from the arrival time, recovers f(t, t₀) = A − A₀ (where A₀ is the initial counter stored on the server), and then recomputes the encrypted five‑digit value X′ = Eₖ(A). If X′ matches the received X, authentication succeeds. Because the first digit is merely A mod 10, the server’s reliance on it for security is ill‑founded.

To assess the practical impact, the authors model a typical bank (2.3 million customers) and a smaller enterprise (10⁴ customers). Assuming realistic login frequencies and that the attacker can launch the attack after each legitimate use of the token, the expected number of compromised accounts per year exceeds 100 even for the smaller organization. This demonstrates that the vulnerability is not merely theoretical but could lead to substantial financial loss.

In conclusion, the study reveals two critical design flaws in DIGIPASS GO3: (1) the exposure of a deterministic, time‑dependent synchronization digit, and (2) a biased distribution of the remaining digits due to the 4‑bit‑to‑decimal conversion. Both flaws dramatically increase the predictability of OTPs and enable a practical forgery attack with a success probability of 8⁻⁵. The authors recommend redesigning the token to hide synchronization information and to generate fully uniform decimal digits, thereby restoring the intended security level of OTP‑based two‑factor authentication.