Both groups look to open algorithms to make online authentication easier and more secure
By Marisa Torrieri, Contributing Editor, AVISIAN Publications
The good thing about strong authentication is that the technology measures up to the hype. The problem is most organizations don’t want to invest in anything but the minimum needed to beef up security, say manufacturers of multi-factor authentication and the advisors helping them market their goods.
What’s slowing the sales of one time password technologies (OTP), soft tokens and PKI is the lack of a single, open standard for strong authentication products, says Stu Vaeth, chief security officer for Diversinet, which makes strongly authenticated soft tokens that go inside mobile devices.
Vaeth is part of a growing number of high-tech, Internet security executives trying to combat this challenge. To do so, he serves as co-chair of the technical committee of OATH (The Initiative for Open Authentication), one of two noticeable organizations working to make digital transactions both more secure and less frustrating – for businesses and their customers.
OATH: Armed with new algorithms, roadmap and pushing for universal adoption
OATH doesn’t call itself a standards organization, but a consortium with more than 50 companies: authentication hardware and software manufacturers, security professionals, and as of last year, financial institutions. All are collaborating to create and adopt a single, open framework for strong authentication. The organization was founded in February 2004; founding organizations are IBM and VeriSign.
The organization’s goals for 2006, outlined in its latest roadmap that went on display at the RSA Security Conference in San Jose, Calif., in February, are well underway.
At the end of last year, OATH members submitted a draft for an algorithm to the Internet Engineering Task Force (IETF) for two methods of strong authentication: an HOTP algorithm and a challenge-response algorithm (a variant of the HOTP algorithm). Basically, each of the interoperable sub-algorithms represents two different applications: the first creates one-time passwords and the second creates challenge-responses between two parties, such as a user and a Web site, resulting in mutual authentication. The algorithm is based on a shared secret transformation using random numbers, digest, and hashing technologies, says OATH.
Mutual authentication refers to the idea that two parties, such as the bank and the bank’s client, knows the other party is valid.
“The context of OATH is a whole authentication framework,” says Mr. Vaeth. “These algorithms are only a small part.” The overall goal is to provide a total open framework.
“I might have a token issued to me by bank X,” says Mr. Vaeth, “and that [token] might be acceptable to use with my brokerage firm, because this is an open framework.”
When the algorithm is universally accepted, it will be incorporated into all methods of strong authentication. And so, a bank will be able to offer a variety of services based on multiple devices and platforms, such as PDAs, cell phones and USB drivers.
“OATH was founded because we needed to change the landscape in the context of the consumers,” says VeriSign’s David Berman, who is OATH’s marketing manager. “The open, royalty-free specifications, the ability to promote embedding in all sorts of devices, and making all sorts of types of authentication available for consumers – not just institutions – that’s what’s going to drive adoption.”
Liberty Alliance: also striving for easier, more secure digital transactions
Meanwhile, another group is on the forefront of simplifying digital banking and other online applications.
The patriotic-themed Liberty Alliance, which was created in 2001 and has 150 member organizations, harbors the ultimate goal of making Web transactions easier and more secure for consumers. The group is focusing on promotion of its three specifications– Liberty Federation (ID-FF), Liberty Web Services (ID-WSF), and Liberty Strong Authentication (ID-SAFE). Liberty’s specifications are deployed now at a number of organizations, including American Express, AOL, Sun Microsystems, Nokia, General Motors and France Telecom.
Liberty Federation started out as an open alternative to Microsoft’s proprietary Passport initiative, across vertical markets, says a spokesman for the organization.
A major goal for 2006 is to deploy interoperable strong authentication. Like OATH, Liberty has a technical group focused on developing a strong authentication specification for the industry. Theirs is called ID-SAFE, and is expected to be released during the fourth quarter.
“What the Liberty Alliance is trying to do is effect a network world in which businesses and people can conduct transactions securely in an Internet environment.” says Roger Sullivan, who moonlights as vice president of the Liberty Alliance Management Board when he’s not busy with his duties as vice president of business development for Oracle’s Identity Management solutions. “What that implies, under the covers, is we need to enable the sharing of identities from one to another unit.”
The sharing can involve B-to- B or B-to-C markets. The Liberty Federation spec allows for single sign on, authentication and secure movement of identity information in the federated network, a spokesman adds.
Liberty’s ideas and specs can make life easier, but ultimately, those using the technology must agree to must cooperate and join the network to share the information. Thus, Liberty’s public policy group helps corporations work out the legal and privacy issues related to sharing, says a spokesman.
Such information passing already works as a viable alternative in the corporate setting, says Mr. Sullivan. In offices that deploy Liberty’s specification, employees no longer have to log into a dozen or so accounts (401K, medical insurance, dental insurance, etc.) and memorize a bunch of passwords to retrieve information.
“We have created technical specs that focus on traded identities between companies so users can access 401K within employer’s Intranet,” Mr. Sullivan says. “It’s the same in a supply chain model, where credentials are securely shared.”
The biggest difference from OATH is that Liberty doesn’t just focus on strong authentication – it’s just one component of a bigger picture. Still, Liberty supports OATH’s goals in creating an open security standard, Mr. Sullivan says.
“The real bang for the buck,” says Mr. Sullivan, “is to facilitate business-to-business transactions, to make it easier for commerce to flow on the Internet.”