torsdag 20 februari 2014

Two-factor authentication for mobile with OATH

Nearly all major vendors of smartphones and tablet platforms, such as Apple, Google, Microsoft and Blackberry, support software tokens to provide an inexpensive yet secure way to perform two-factor authentication. The majority of these vendors leverage OATH HOTP for this service, and the fact that ForgeRock OpenAM supports OATH HOTP, is a good reason to drill into this a little deeper.

Two-factor (or multi-factor authentication) is nothing new and is commonly found in various applications where the basic authentication process of providing just a password, a pin code, or the swipe of a card isn’t enough. The purpose of multi-factor authentication is to lower the probability of the user trying to authenticate to provide false credentials as evidence of his identity. The rationale goes, the more factors, the higher the probability that the user is who he or she claims to be.

In the case of two-factor authentication, the two factors are typically something the user knows (such as the classic password, and some private identity details such as mother’s maiden name or first pet’s name) and something the user has (such as an access card or a cellular phone). A third factor might be something the user is, such as biometric data of the face or fingerprint, or voice characteristics.

Now, OATH (short for Open Authentication) is a collaborative effort of various members of the IT industry to provide a reference architecture for universal strong authentication across all users and devices over all networks. OATH is open and royalty free, for anyone to implement and use. HOTP is short for HMAC based One Time Password. The idea behind OATH is to reduce complexity and lower the cost of ownership by allowing customers to replace proprietary security systems, which often are complex and expensive to maintain.

ForgeRock OpenAM can be configured to support OATH-based HOTP for two-factor authentication. For the technically savvy, who like to try things out, there is an easy to follow guide to configure OpenAM in this way. On a side note, OpenAM can also support TOTP or Time based one time passwords. Both TOTP and HOTP are standards described in RFC 4226 and RFC 6238.

There are a number of use-cases where this added security comes in handy.

  • Self-service password resets
One of the most common problems users encounter is when they forget their passwords and are unable to login to work or to purchase goods and services. The traditional approach to address these issues is to leverage what is called challenge/response questions - a set of predefined or user-defined questions with answers to reset the password. In the light of what people tend to share on social media sites these types of questions typically introduce a weakness in the security perimeter. In fact, the U.S. Federal Financial Institutions Examination Council (FFIEC) and the U.S. Federal Deposit Insurance Corporation (FDIC) strongly cautions financial organizations against adopting authentication methods that use personal information for authentication purposes. With OATH tokens, an easy second factor can be introduced, thereby mitigating some of the associated risks.

  • Accessing cloud applications via single sign-on
    In the new and modern world without boundaries, moving freely between on-premise applications and off-premise cloud applications might cause your company security experts sleepless nights. Introducing a stepped up authentication with an OATH HOTP when accessing cloud apps could be one precaution to make the security experts sleep better.

  • Step up or risk-based authentication
Assume that, from within an application, you are accessing sensitive information or you are logging in using an unknown pattern (for example, from a different network or a new device). Providing a second authentication factor in this case again mitigates some of the risks and OATH is a cost-effective solution to this problem.

To conclude, we have discussed what OATH is, and some of its typical use-cases. OpenAM provides the necessary capabilities to implement a cost effective two-factor (or multi-factor) authentication process that increases user or consumer acceptance for stronger authentication. OATH allows your organization to be compliant and to follow the guidelines set out by FFIEC, FDIC and others, while reducing the risk and implications of identity theft. It does so by offering multiple factors of authentication, allowing users and consumers to more accurately prove that they are who they claim to be.

Inga kommentarer:

Skicka en kommentar