Thursday, May 12, 2005

Multi-factor authentication

I moderated a panel at Digital ID World yesterday about strong, token-based authentication. It was billed as a "great debate" between RSA (with it's proprietary one-time password (OTP) algorithm) versus the work of the Initiative for Open Authentication (OATH). Much verbiage was spent on which would best drive user's (i.e., joe sixpack's) use of hardware tokens for strong authentication.

But no sooner was I back from the show and into my inbox pops a press release from VASCO, announcing the launch of Digipass for Java phones. Suddenly every Java-enabled cell phone can be the equivalent of RSA's SecureID product. It's a neat play, and doesn't require you to find a way to carry any additional hardware.

The Digipass solution uses a Java app on the phone to generate the OTP. But couldn't we get even stronger authentication (2.5 to 3 factors) by having the server call the phone and seed the OTP generator each time a new OTP was required? Or would that, somehow, be weaker? I'll need to think on that a bit.


I think I see what you mean by having the 'sever call the phone', but I'm still somewhat confused. If the OTP is stored on the phone, the system will be insecure. These devices all have 'holes' in them and neither the PIN nor the OTP should be on them. For our product, we have the user enter the PIN into the phone, it is encrypted by the server's public key and sent to the server (with a one-time AES key). If everything checks out, the server responds with the OTP encrypted by the client's public key and the one-time AES key. The PIN is stored on the server - nothing is on the client. We use the internet connection, which I assume is what you're referring to.

If you want to make it stronger, you can occiasionally generate new keys, but a better way would be to require location as a third factor. The Qualcomm BREW phones have this capability and some of the J2ME phones as well (capable and have the API available).

The big plus for WiKID, in light of identity management is that with WiKID you can easily support multiple relations without the need for federation. The hardware/shared-secret guys want you to either carry multiple tokens or the trust a third-party for federation. Neither is necessary with WiKID.
The originator of the J2ME Cellular Authentication Token (CAT) is Mega AS Consulting Ltd ( Their CAT does not store the OTP. It is generated on the Cellular using a seed that is encrypted on the cellular or on the SIM card. The idea is to minimize communication with the host and thus minimize on going costs of using the CAT.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]