Sponsored By

Tech Road Map: One Token To Rule Them AllTech Road Map: One Token To Rule Them All

OATH seeks to eliminate the cost and hassle of strong authentication.

Avi Baumstein

February 7, 2008

3 Min Read


The OATH Initiative's first published standard was for Hashed Message Authentication Code (HMAC) one-time passwords; it specified the algorithm to securely generate passwords in an event-triggered manner. Since then, OATH has been busy submitting and revising standards through the Internet Engineering Task Force for other components of an authentication architecture, including key provisioning and challenge/response algorithms. It also has produced two versions of a reference architecture that lay out a framework for the rest of the infrastructure needed for secure authentication, including provisioning of new tokens, validation of multiple authentication types, authentication and authorization, and auditing.

Reference Architecture 2.0 expands on the previous version with additional detail and a host of planned new capabilities. Perhaps the most innovative is risk-based authentication. A risk module will evaluate every transaction and assign it a risk score, which is then used to choose the authentication method that will be required for that transaction. For instance, an account-balance query from a recognized computer during working hours might get a very low risk score and require a simple authentication--say, user name and password only. A large fund transfer request made during off hours from an IP address in a range previously used for fraudulent activity would seem riskier, and thus would require much stronger authentication and may require that the transaction be signed using a special cryptographic token.

Today, outsourcing the authentication back end for e-commerce and online financial sites is probably the best way for organizations to take advantage of OATH; providers such as VeriSign help companies comply with increasingly stringent government regulations and consumer expectations while avoiding gimmicks. The downside is you'll be tied to a single vendor.

IT departments looking to roll out multifactor authentication to internal users would do well to look into OATH-based offerings. While corporate choices aren't as well fleshed out as VeriSign's e-commerce program, the comprehensive OATH framework and large number of companies developing to it show the promise of an increasing number of compelling and competitively priced products over the next few years. Two OATH-based products available now are from Innovative Card Technologies and Authenex.


April 2004
IBM, Gemalto, VeriSign, and others meet to lay out a governance structure

February 2005
Nine vendors demonstrate compatibility among their OATH products at the RSA conference

December 2005
RFC 4226 "HMAC One-Time Passwords" approved as standard by IETF

June 2007
PayPal starts distributing its Security Key using OATH-based tokens and VeriSign service

September 2007
Reference Architecture 2.0 released, with authentication based on risk scoring

December 2007
Sixth revision of draft spec for OATH Challenge Response Algorithm submitted to IETF

--Avi Baumstein ([email protected]) More Strategic Security:
Stop! There Goes My Phone!

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights