Single-factor authentication using passwords is weak. One-time passwords improve the situation by generating a new password for each use. This was originally done by printing out a list of complex passwords and crossing off each as it's used. A difficult system at best, at worst a productivity killer for users who run out of passwords. Token-based systems improved on the process by using a key-fob electronic device to display the next needed password on an LCD screen. Problem is, these systems were somewhat pricey to deploy because a limited number of proprietary systems dominated the market. As a result of the interoperability inherent in the OATH open standard, however, we've seen vendors develop a swell of token options, including credit card-size tokens; USB-connected tokens; even purely software-based key generators that can run on mobile phones, eliminating the need to even carry a separate gizmo.
There are two ways to generate one-time passwords. The first is event-based, where the password changes each time one is used, as with the printed password list; the other produces a new password on a fixed schedule, which is how EMC/RSA SecurID tokens work. While it's not clear that one method is inherently better, an event-based password rotation is simpler and less expensive to implement. Time-based tokens must have fairly accurate clocks to change the password at the same time the server does, whereas event-triggered tokens need only process an algorithm each time the button is pressed to display the next password in the sequence. This means event-triggered tokens can also be smaller and last much longer, since they need to be powered only when used.
TOKENS ARE JUST THE START
The OATH Initiative's first published standard was for Hashed Message Authentication Code (HMAC) one-time passwords; it specified the algorithm to securely generate passwords in an event-triggered manner. Since then, OATH has been busy submitting and revising standards through the Internet Engineering Task Force for other components of an authentication architecture, including key provisioning and challenge/response algorithms. It also has produced two versions of a reference architecture that lay out a framework for the rest of the infrastructure needed for secure authentication, including provisioning of new tokens, validation of multiple authentication types, authentication and authorization, and auditing.
Reference Architecture 2.0 expands on the previous version with additional detail and a host of planned new capabilities. Perhaps the most innovative is risk-based authentication. A risk module will evaluate every transaction and assign it a risk score, which is then used to choose the authentication method that will be required for that transaction. For instance, an account-balance query from a recognized computer during working hours might get a very low risk score and require a simple authentication--say, user name and password only. A large fund transfer request made during off hours from an IP address in a range previously used for fraudulent activity would seem riskier, and thus would require much stronger authentication and may require that the transaction be signed using a special cryptographic token.
Today, outsourcing the authentication back end for e-commerce and online financial sites is probably the best way for organizations to take advantage of OATH; providers such as VeriSign help companies comply with increasingly stringent government regulations and consumer expectations while avoiding gimmicks. The downside is you'll be tied to a single vendor.
Bob Friday, Chief AI Officer for Juniper Networks, explains how the advanced technology is transforming operations.
Contact center leaders from 8x8, Awaken Intelligence, and 360insight discuss the importance of agent experience.
AI may force enterprises to rewire parts of their data centers so they are fully optimized to run such workloads. The question is do you use Ethernet or InfiniBand?
