OCRA or Oath Challenge-Response Algorithms was submitted to IETF in 2008. OCRA is an industry-wide attempt to create a standard algorithm for challenge-response as a part of the OATH open authentication initiative. OCRA and OATH aim to provide strong authentication, and ensure the continued proliferation and market penetration of open protocol multi-factor authentication solutions. SolidPass is part of the OATH initiative, and authenticates through a variety of methods.

Time-based Security Token (Time-synchronized)

The SolidPass family of authentication solutions include time-based security tokens. A time-based token exists between the client's token and the authentication server, which changes constantly at a set time interval, e.g. once per minute.

Time-based (synchronized) One-Time Password (OTP) Generation

To create a time-based one-time password (OTP), a user will enter their PIN into the SolidPass Mobile Application and generate an OTP to validate the requested transaction. The password generation with SolidPass uses a robust encryption mechanism appropriate for soft tokens. The allowed maximum validity period of a generated OTP is set to 3 minutes by default, and the OTP timeout period is a configurable parameter. The shorter the validity period, the higher the security level provided. The length of the OTP also contributes to the security level provided. Longer OTPs make a system more secure. The suggested minimum OTP length in the SolidPass System is 8 digits or 6 alphanumeric characters. PIN control for OTP generation can be optional.

Time-based (synchronized) Two-Factor Authentication (2FA)

In addition to time-based (synchronized) two-factor authentication, SolidPass also supports the following strong 2FA methods on the mobile and PC platform:

• Event-based One-Time Password (OTP)
• PIN control mandatory/optional
• Security Question
• Challenge-Response
• Transaction Data Signing (TDS)
• Mutual Authentication (2 WAY Authentication)

Time-synchronized Mobile Token Convenience

The key advantage of the mobile token is that there are no new devices or wallet-fillers for customers – just an add-on to the device they already carry everywhere. Since customers already own the “hardware” (the mobile phone), SolidPass can be provided and managed at a fraction of the true cost (TCO) of a hardware token solution. Soft tokens have the added advantage of being able to be distributed immediately and without logistical planning. An added benefit from a reissuing and logistical perspective is that soft tokens do not expire. This helps reduce customer dissatisfaction. Thanks to its flexible framework, the application can also be updated to guard against new security threats.
SolidPass works on a number of different mobile platforms (both feature and smartphones). Solidpass mobile tokens include the following:

• Android Time-synchronized Token
• Blackberry Time-synchronized Token
• Brew Time-synchronized Token
• iPhone Time-synchronized Token
• Java ME Time-synchronized Token (J2ME Token)
• Mobile Linux Time-synchronized Token
• Palm Time-synchronized Token
• Symbian Time-synchronized Token
• Windows Mobile Time-synchronized Token