HOTP - HMAC Event-Based One-Time Password Algorithm and Authentication
HOTP is an HMAC event-based one-time password. HOTP is part of OATH, the Initiative For Open Authentication. To create a one-time password (OTP), a user will enter their PIN into the SolidPass™ security token and generate an OTP to validate the requested transaction. The password generation uses a robust encryption mechanism appropriate for soft tokens. The length of the OTP also contributes to the security level provided. Longer OTPs make a system more secure. The suggested minimum OTP length in the SolidPass™ System is 8 digits or 6 alphanumeric characters. PIN control for OTP generation can be optional.
Regulatory requirements are pressuring organizations to adopt stronger authentication methods and to secure access to data systems and applications. Static username/password identity management no longer provide enough security to authenticate users accurately. This has led to adopting two-factor authentication systems. Legislation from the Sarbanes-Oxley Act (SOX), guidelines from the Federal Financial Institutions Examination Council (FFIEC), and recommendations from the Health Insurance Portability and Accountability Act (HIPAA) all require that organizations use stronger forms of authentication to mitigate data theft, prevent fraud, protect customer information and patient privacy. SolidPass helps organizations and enterprises comply with regulatory regimes that cover authorization rules and auditing protocols.
In addition to non-compliance, organizations that continue to use static username/passwords face numerous problems ranging from brute force attacks, dictionary attacks, guessing and social engineering.
For the banking industry, 2FA tokens are quickly becoming a mandatory offering for online and mobile banking:
- FFIEC Guidance on 2FA
- PCI Data Security Standards
- FACTA Identity Theft Red Flags
SolidPass Event-based security token can be used to prevent the following:
- Phishing Attacks
- Pharming Attacks
- Man-In-The-Middle Attacks
- DNS Cache Poisoning Attacks
- Trojans Attacks
- Man-In-The-Phone Attacks
- Browser Poisoning Attacks
HOTP Two-Factor Authentication (2FA)
In addition to HOTP two-factor authentication, SolidPass™ also supports the following strong 2FA methods on the mobile and PC platform:
- Time-Based One-Time Password
- Security Question
- Transaction Data Signing (TDS)
- Mutual Authentication (2 WAY Authentication)
Mobile Soft Token Convenience
The key advantage of the SolidPass mobile soft token is that there are no new devices or wallet-fillers for customers – just an add-on to the device they already carry everywhere. Since customers already own the “hardware” (the mobile phone), SolidPass™ can be provided and managed at a fraction of the true cost (TCO) of a hardware token solution. Soft security tokens have the added advantage of being able to be distributed immediately and without logistical planning. An added benefit from a reissuing and logistical perspective is that soft tokens do not expire. This helps reduce customer dissatisfaction. Users are also more likely to recognize the loss of their mobile phone before they recognize the loss of a hardware token. This means that they are also more likely to recover a misplaced mobile phone before finding a lost hardware token. As a result mobile phones have become a more reliable deployment method than hardware tokens.
Provisioning of Mobile Token
The application can be provisioned in a number of ways include OTA (Over-the-air), Bluetooth, Wap Push, download, SMS request from a short-code or a long number or from an SMS push from a web interface or a URL from a WAP or mobile Internet portal or from a relevant applications store.
SolidPass™ can be embedded in any number of mobile apps such as mobile banking that would require strong two-factor authentication and security.