Member Companies Implement OATH One-Time-Password Algorithm,
Advancing Industry Support for Open-Standards Strong Authentication
SAN FRANCISCO, RSA 2005, Feb. 14 /PRNewswire/ -- OATH, the initiative for
Open AuTHentication, today announced that eight member companies have deployed
the One-Time-Password (OTP) algorithm technology developed by OATH. The
implementations represent an important advance in OATH's goal of driving
widespread industry support and adoption for open strong authentication.
The vendors, which have implemented the OATH algorithm into their
products, being announced today include Aladdin Knowledge Systems, Axalto,
Diversinet, Gemplus, Iteon, RedCannon Security, Vasco Data Security and
VeriSign.
"OATH continues to serve as a driving force behind the implementation of
open, interoperable strong authentication. The momentum created by those
vendors deploying the OTP algorithm will beget more momentum toward achieving
OATH's vision of affordable strong authentication across all networks, devices
and applications," said Siddharth Bajaj, chair of OATH's Technology Working
Group. "As open authentication is more widely adopted, the technology will
become increasingly more affordable, enabling businesses to better protect
themselves against malicious security threats."
The vendor implementations being announced today demonstrate the breadth
of technologies using the Hashed Message Authentication Code (HMAC) OTP
standard for open strong authentication, which OATH submitted to the Internet
Engineering Task Force (IETF) in October 2004. The implementations include
the following:
-- Aladdin Knowledge Systems Ltd. -- The Aladdin eToken NG-OTP is a
versatile Hybrid device, enabling a variety of authentication and security
related solutions including PKI authentication, Static passwords and OTPs. The
eToken NG utilizes advanced and secure smartcard technology for both PKI and
OTP and is fully compliant with the OATH HMAC OTP standard.
-- Axalto Inc. -- Demonstrating OATH one-time passwords and roaming access
capabilities with Axalto's Cyberflex(TM) e-gate smart card. The solution
demonstrates the flexibility of smart cards to provide the strongest physical
security with multiple card operating systems and communication options, while
emphasizing java's ability to add applications as required. The Axalto smart
card solution can meet all the token requirements as specified in Special
Publication 800-63 by NIST on Information Security recommendations for
Electronic Authentication.
-- Diversinet Corp. -- The Diversinet MobileSecure Client makes available
an OATH-compliant OTP on RIM Blackberry, Microsoft Windows Mobile, Symbian OS,
PalmSource, and Java-based handhelds. When combined with industry standard
authentication services, Diversinet delivers mobile-optimized mass market
tokens for remote access and secure mobile applications to over 1.5 billion
mobile device users on any mobile network.
-- Gemplus Corp. -- Gemplus provides an OATH-based solution for Mobile
Network Operators, storing the algorithm on the SIM card. This means that the
handset can be used as a Hardware Secure Token to remotely activate/deactivate
the application over cellular networks. Gemplus also developed an OATH secure
token, running in both off-line and USB-connected modes, providing value added
services and security features.
-- Iteon -- The Comyt smart card software suite is comprised of a Java Card
applet, a SIM Toolkit applet for use on mobile phones and myHSM, a smart card
based HSM, to check the validity of OATH HMAC OTP and other cryptographic
algorithms on a server. Iteon offers both a single-user and OEM licensing
options.
-- RedCannon Security -- Fireball KeyPoint, the processor-based USB memory
token with a FIPS-140-2 certified encryption vault, stealth browser, secure e-
mail client, and spyware scan, will now offer complete OATH support.
KeyPoint's one-time-password (OTP) solution will be compatible with the OATH
standard and will be managed from the Fireball central-manager
-- Vasco Data Security -- VASCO's Successful Digipass GO 3 one-button
token generates OTPs and will offer compliance with the OATH HMAC OTP.
Digipass GO3 allows end-users to enter corporate accounts or to perform
banking transaction in a swift, user friendly and cost effective way.
-- VeriSign Inc. -- VeriSign has introduced two new tokens compatible for
the VeriSign Unified Authentication solution, which can be managed as
in-premise software or remotely on VeriSign's highly-scalable network. The
tokens include a simple OTP-only device as well as a hybrid OTP and PKI
credential device with secure mass storage. All the devices are OATH
compliant.
The number of vendor implementations is indicative of the speed and
ease-of-integration possible for building OATH-based OTP strong authentication
into new and existing products. All of the vendor solutions described above
are available for live demonstrations this week at the OATH Pavilion (Booth
#930) at the RSA Conference.
The OATH OTP algorithm can be implemented by any hardware manufacturer or
software developer to create interoperable authentication devices and software
agents. Furthermore, whereas most existing OTP solutions are time-based, and
thus require devices with clocks and careful time synchronization between
devices and servers, OATH's algorithm is counter-based. As a result, it can be
embedded in high volume devices such as mobile phones, Java smart cards, USB
dongles and GSM SIM cards. The counter-based design also significantly reduces
the burden on enterprises that adopt solutions using OTP.
In an effort to further spur vendor adoption of OATH-compliant strong
authentication solutions, OATH today also announced that it has made the Java
source code for the HMAC OTP algorithm available for free download on the IETF
website.
http://www.ietf.org/internet-drafts/draft-mraihi-oath-hmac-otp-02.txt
OATH was launched at the 2004 RSA Conference to address security concerns
raised by increasing Internet threats such as phishing, the expansion of
mobile computing, and frustration with the expense and complexity of
traditional, proprietary strong authentication systems. As part of an
industry-wide collaboration that now includes over 30 leading device,
platform, and application companies, OATH participants are united in three key
goals: promoting secure and safe online transactions for consumers and
business users; leveraging existing standards to create an open reference
architecture for strong authentication; and reducing the cost and complexity
of strong authentication to drive broad enterprise and consumer adoption.
In addition to technology demonstrations, OATH will be hosting a reception
at its RSA pavilion on Wednesday, February 16, at 3:00 p.m. PST. OATH
committee chairs and representatives of OATH member companies will be on hand
to meet interested parties and share information.
About the Initiative for Open AuTHentication
The Initiative for Open AuTHentication (OATH) is a collaboration of
leading device, platform and application companies. OATH participants hope to
foster use of strong authentication across networks, devices and applications.
OATH participants work collectively to facilitate standards work and build a
reference architecture for open authentication while evangelizing the benefits
of strong interoperable authentication in a networked world. OATH is actively
seeking all participants who share a common vision of open authentication. To
learn how to participate, email info@openauthentication.org or visit
http://www.openauthentication.org.
SOURCE The Initiative for Open AuTHentication
 back to top
Related links:
http://www.openauthentication.org
CONTACT:
Bill Danon of Bite Communications,
+1-310-395-2140, or bill.danon@bitepr.com, for OATH
|
