OATH Authentication Security Token
The SolidPass two-factor authentication security token is OATH compliant. The Initiative for Open Authentication (OATH) is an industry-wide collaboration to create an open reference architecture to encourage the proliferation of strong authentication solutions by using open standards. OATH addresses security concerns with standard open technology with the goal of making strong authentication ubiquitous. OATH authentication has been adopted by many leaders in the field of strong authentication.
OATH is based on four guiding principles:
and royalty-free specifications:
By leveraging existing open standards when possible and leading standarization efforts.
Device innovation and embedding:
Specify technology building blocks that allow for low-cost, multi-faction authentication devices, and transform existing devices into authentication devices.
Native platform support:
Facilitate native support for strong authentication in application development. Additionally, OATH seeks to leverage exiting infrastructure such as LDAP.
Enable best-of-breed solutions through a framework of interoperable components.
OATH has endorsed a new OTP algorithm standard based on the HMAC SHA-1algorithm called HMAC-based OTP (HOTP). It is an event-based OTP algorithm, in which a counter value is used in the OTP calculation and incremented on the client and server after each use. HOTP algorithm has been IETF for standardization as an Informational RFC.
Mobile Soft Token Convenience
The key advantage of the SolidPass mobile soft token is that there are no new devices or wallet-fillers for customers – just an add-on to the device they already carry everywhere. Since customers already own the “hardware” (the mobile phone), SolidPass can be provided and managed at a fraction of the true cost (TCO) of a hardware token solution. Soft security tokens have the added advantage of being able to be distributed immediately and without logistical planning. An added benefit from a reissuing and logistical perspective is that soft tokens do not expire. This helps reduce customer dissatisfaction. Users are also more likely to recognize the loss of their mobile phone before they recognize the loss of a hardware token. This means that they are also more likely to recover a misplaced mobile phone before finding a lost hardware token. As a result mobile phones have become a more reliable deployment method than hardware tokens.
Provisioning of Mobile Token
The application can be provisioned in a number of ways include OTA (Over-the-air), Bluetooth, Wap Push, download, SMS request from a short-code or a long number or from an SMS push from a web interface or a URL from a WAP or mobile Internet portal or from a relevant applications store.
Strong Two-Factor Authentication (2FA)
The following strong authentication methods are supported in the mobile token:
- Event-based One-Time Password (OTP)
- Time-based One-Time Password (OTP)
- Security Question
- Challenge Response
- Transaction Data Signing (TDS)
- Mutual Authentication
SolidPass mobile security token can be used to prevent the following :
- Phishing Attacks
- Pharming Attacks
- Man-In-The-Middle Attacks
- DNS Cache Poisoning Attacks
- Trojans Attacks
- Man-In-The-Phone Attacks
- Browser Poisoning Attacks
SolidPass can be embedded in any number of mobile apps such as mobile banking that would require strong two-factor authentication and security.
Hardware tokens have a limited life span. After their obsolescence, they have to be discarded and new ones have to be issued. By contrast, mobile security tokens are a virtual product using existing hardware, thus minimizing negative externalities.