TOTP - Time-Based One-Time Password Algorithm and Authentication
The SolidPass family of authentication solutions include time-based one-time password generating security tokens. The OATH compliant time-based token exists between the client's token and the authentication server, which changes constantly at a set time interval, e.g. once per minute.
TOTP Time-Based (Synchronized) One-Time Password (OTP) Generation
To create an OATH compliant time-based one-time password (OTP), a user will enter their PIN into the SolidPass™ Mobile Application and generate an OTP to validate the requested transaction. The password generation with SolidPass™ uses a robust encryption mechanism appropriate for soft tokens. The allowed maximum validity period of a generated OTP is set to 3 minutes by default, and the OTP timeout period is a configurable parameter. The shorter the validity period, the higher the security level provided. The length of the OTP also contributes to the security level provided. Longer OTPs make a system more secure. The suggested minimum OTP length in the SolidPass™ System is 8 digits or 6 alphanumeric characters. PIN control for OTP generation can be optional.
Time-based (Synchronized) Two-Factor Authentication (2FA)
In addition to time-based (synchronized) two-factor authentication, SolidPass™ also supports the following strong 2FA methods on the mobile and PC platform:
- Event-based One-Time Password (OTP)
- PIN control mandatory/optional
- Security Question
- Challenge Response
- Transaction Data Signing (TDS)
- Mutual Authentication (2 WAY Authentication)
- Out-of-Band Authentication
Time-Synchronized Mobile Token Convenience
The key advantage of the mobile token is that there are no new devices or wallet-fillers for customers – just an add-on to the device they already carry everywhere. Since customers already own the “hardware” (the mobile phone), SolidPass™ can be provided and managed at a fraction of the true cost of a hardware token solution. Thanks to its flexible framework, the application can also be updated to guard against new security threats.
SolidPass works on a number of different mobile platforms (both feature and smartphones). Solidpass mobile tokens include the following:
- Android Event-based Token
- Blackberry Event-based Token
- Brew Event-based Token
- iPhone Event-based Token
- Java ME Token Event-based (J2ME)
- Mobile Linux Event-based Token
- Palm Event-based Token
- Symbian Event-based Token
- Windows Mobile Event-based Token
The mobile phone vendors supported include:
- Apple
- Asus
- BenQSiemens
- Blackberry (RIM)
- HP Mobile
- HTC
- Huawei
- LG
- Motorola
- NEC
- Nokia
- Palm
- Panasonic
- Samsung
- SonyEricsson
- ZTE
Provisioning of Mobile Token
The application can be provisioned in a number of ways include OTA (Over-the-air), Bluetooth,Wap Push, SMS request from a short-code or a long number or from an SMS push from a web interface or a URL from a WAP or mobile Internet portal or from a relevant applications store.
Desktop Soft Token
SolidPass also supports desktop-based software tokens as well. The Desktop Operating Systems and Browsers supported are:
- Toolbar Token
- Java Token
- Linux Token
- Mac Token
- Windows Token
Software Token Embedded
SolidPass is a software authentication token built such that it can be used as a standalone product or embedded in mobile applications such as mobile banking. Thus strong authentication can be built into standalone mobile apps or PC applications.
Regulatory Compliance
Regulatory requirements are pressuring organizations to adopt
stronger authentication methods and to secure access to data
systems and applications. Static username/password
identity management no longer provide enough security to
authenticate users accurately. This has led to adopting
two-factor authentication systems. Legislation from the
Sarbanes-Oxley Act (SOX), guidelines from the Federal
Financial Institutions Examination Council (FFIEC), and
recommendations from the Health Insurance Portability and
Accountability Act (HIPAA) all require that organizations use
stronger forms of authentication to mitigate data theft,
prevent fraud, protect customer information and patient
privacy. SolidPass helps organizations and enterprises
comply with regulatory regimes that cover authorization rules
and auditing protocols.
In addition to non-compliance,
organizations that continue to use static username/passwords
face numerous problems ranging from brute force attacks,
dictionary attacks, guessing and social engineering.
For the banking industry, 2FA tokens are quickly becoming a
mandatory offering for online and mobile banking:
- FFIEC Guidance on 2FA
- PCI Data Security Standards
- FACTA Identity Theft Red Flags
SolidPass Event-based security token can be used to prevent the following:
- Phishing Attacks
- Pharming Attacks
- Man-In-The-Middle Attacks
- DNS Cache Poisoning Attacks
- Trojans Attacks
- Man-In-The-Phone Attacks
- Browser Poisoning Attacks
OATH Compliant Event-based Tokens
As a member of the Initiative for Open Authentication,
SolidPass tokens are built OATH compliant. The
event-based SolidPass uses the standards-based HOTP algorithm
endorsed by OATH, providing compatibility with third-party
software.
Easy integration of SolidPass into existing
IT back-ends and support of various architectures:
- RADIUS Server Support
- LDAP support
- SOAP/Webservices
- Microsoft IAG 2007 SSL VPN
- BlackBerry Enterprise Server (BES) support
- Citrix Secure Access Gateway
- Cisco VPN
- SOA architecture
Server OS independent
The authentication server is OS independent and supports Linux (tested on most distributions like Redhat, Ubuntu and Novell Suse), Microsoft Windows Server (NT, 2003, XP), Sun Solaris and all operating systems that support enterprise Java.
Custom Branded Security Tokens for Financial Institutions and Enterprises
Custom branding is an available option for SolidPass security
tokens. This is especially useful for Banks and large
corporations.
Industries and verticals that the
SolidPass event-based security token is appropriate for:
- Banking/Finance
- Healthcare
- Public Sector
- Homeland Security
- Professional Services
- Corporate Security
- Cloud Computing Security
Solutions that the event-based SolidPass is appropriate for include:
- Online Banking Security
- Mobile Banking Security
- E-Commerce Security
- VPN Access Security
- Network Access Security
- Identity Management
- Embedded Token
- Mobile Authentication
- Software-as-a-Service (SaaS)