Tech Road Map: One Token To Rule Them All - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

04:30 PM

Tech Road Map: One Token To Rule Them All

OATH seeks to eliminate the cost and hassle of strong authentication.

We've long known that multifactor authentication provides stronger security over simple passwords, but a limited number of options, cost, interoperability issues, and the dread that IT pros feel at the idea of issuing users multiple tokens have put a damper on deployment. With its recently released Reference Architecture 2.0, the Initiative for Open Authentication, or OATH, hopes to allay these misgivings with an open standard to bring strong authentication to applications and services.

The operative word here is "standard." Systems based on OATH's architecture allow for interoperability among user tokens and a variety of services requiring authentication. The ultimate goal: a single token compatible with any number of services from different providers. This is a fantastic idea, but it's currently possible only in a limited way. Because the current token implementation is event-triggered, if a token is used with unconnected services, the event count for those services will not match the state of the token, causing authentication to fail. The only way to make the system work is for all services to use the same validation back end, thereby keeping token state consistent. One such service is VeriSign's Verified Identity Protection, or VIP. Charles Schwab and eBay are two high-profile users; customers need only a single token to authenticate to these and other VIP-managed online services.

A standard for interoperable, strong authentication focusing initially on one-time passwords, with the goal to make secure authentication less expensive and ultimately pervasive.

Most industry notables--AOL, Entrust, IBM, and VeriSign--and many lesser-known authentication specialists. Conspicuously absent is market leader EMC/RSA, which favors its proprietary SecurID.

Online service providers, especially financial services firms, are eager to beef up security in light of federal guidelines that encourage use of two-factor authentication. A standards-based approach that lowers costs and speeds implementation is attractive, and OATH seems to fit the bill. But the big question is whether tokens can really solve the problem of online fraud.

For every open standard there are proprietary alternatives, and strong authentication is no exception. While RSA has been the closed-system market leader for quite a while, the multifactor authentication space is getting crowded. Entries include WiKID, which uses a mobile phone-based software token, and PhoneFactor, which sends an authentication code to users' phones. Still, this is one area where the open alternative has a real shot. OATH's membership list is large and varied. Besides VeriSign, the latest spec is integrated into products from AOL, BMC, Citrix, Entrust, Hewlett-Packard, IBM/Tivoli, Imprivata, SanDisk, and many more.


Single-factor authentication using passwords is weak. One-time passwords improve the situation by generating a new password for each use. This was originally done by printing out a list of complex passwords and crossing off each as it's used. A difficult system at best, at worst a productivity killer for users who run out of passwords. Token-based systems improved on the process by using a key-fob electronic device to display the next needed password on an LCD screen. Problem is, these systems were somewhat pricey to deploy because a limited number of proprietary systems dominated the market. As a result of the interoperability inherent in the OATH open standard, however, we've seen vendors develop a swell of token options, including credit card-size tokens; USB-connected tokens; even purely software-based key generators that can run on mobile phones, eliminating the need to even carry a separate gizmo.

There are two ways to generate one-time passwords. The first is event-based, where the password changes each time one is used, as with the printed password list; the other produces a new password on a fixed schedule, which is how EMC/RSA SecurID tokens work. While it's not clear that one method is inherently better, an event-based password rotation is simpler and less expensive to implement. Time-based tokens must have fairly accurate clocks to change the password at the same time the server does, whereas event-triggered tokens need only process an algorithm each time the button is pressed to display the next password in the sequence. This means event-triggered tokens can also be smaller and last much longer, since they need to be powered only when used.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
IBM Puts Red Hat OpenShift to Work on Sports Data at US Open
Joao-Pierre S. Ruth, Senior Writer,  8/30/2019
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
Register for InformationWeek Newsletters
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll