No agreement on Oath authentication

By Mark Willoughby

Computerworld |

Editor's Note: This article was first posted on Jan. 27, 2005

The Open Authentication Initiative (Oath), a vendor effort to create industry standards for stronger and cheaper authentication, is receiving mixed reviews on its first proposal for a one-time password.

Oath announced its initial effort, a hashed message authentication code (HMAC) one-time password (OTP) algorithm, in October at the Digital ID World show in Denver.

Announced at last year's RSA show in San Francisco, Oath has grown to 33 members, most of which are vendors of various types of authentication products.

Noticeably absent from Oath's membership is Bedford, Mass.-based RSA Security Inc., which dominates the marketplace for OTP systems with its SecureID tokens. RSA's absence sparked critical commentary from Dave Kearns, an industry columnist. In a Dec. 6 column, Kearns questioned Oath's ability to have an effect on the authentication market without the cooperation of RSA and other identity vendors. He also questioned the usefulness of Oath's HMAC OTP, which is intended to offer an industry-standard alternative for two-factor authentication.

"A whole bunch of people in the security community have been saying that a big source of our security problems is static passwords," said Bob Blakley, an IBM chief scientist for security and privacy and part of Oath's management team.

Two-factor authentication is viewed as a strong defense against phishing attacks, Internet fraud and identity theft. A one-time password is viewed as a stronger authentication method than a static password because the OTP changes and is almost impossible to guess. Some OTPs, such as RSA's SecurID, change with a predetermined period of time, usually minutes. Oath's OTP is a sequential OTP that changes with each usage or transaction. Using an OTP alone, or in tandem with other authentication methods, gives stronger, two-factor authentication.

Oath's initial effort to develop a standard for a cost-effective, one-time password is intended to be a "what you have" authentication method. When used with a "what you know" static password, it greatly increases the probability that the user is who he claims to be. Two-factor authentication combines a static password, known to the user but vulnerable to various hacking attempts, with another authentication method such as a smart card or an OTP password, both of which are based on what you have. Other authentication methods that can be included in a multifactor authentication solution include "what you are" (a biometric) or even "where you are" (location-based) methods.

"We're trying to get a solution to solve the one-time password problem in an open marketplace," Blakley said, to compete with what he termed an expensive and proprietary RSA SecureID OTP system.

The Yankee Group in Boston predicts that spending on authentication systems and tools will grow at a 12% annual rate from 2004 to 2008, nearly doubling from this year's $1.4 billion to $2.4 billion in 2008. RSA reported $192.8 million in sales of "authenticator product types" in 2003, comprising 74% of RSA's $260 million in revenues and a big percentage of its profits.

Some industry analysts also question Oath's usefulness. "Any group working to foster stronger authentication is good," said Gerry Gebel, an identity analyst at Burton Group in Midvale, Utah. But Oath has been too quiet, he said. "For a standards group, they're not being very forthcoming with who they are, how they're operating and what their intentions are," Gebel said.

Industry standards for authentication are unnecessary for the anticipated robust growth of federated identity networks, where "independent security domains are free to choose their own authentication policies and mechanisms," Gebel said. "The idea that we need to address this with new standards is contrary to federated identity. Federated identity is not being stalled by token authentication or authentication issues."

RSA intends to stay on the fence until it's clear that Oath has garnered strong end-user support. "RSA believes it's best to be involved with standards bodies that include the customer's voice, " said Brian Breton, a senior product marketing manager at RSA. RSA is active in standards bodies that include customers, Breton said, citing membership in the Liberty Alliance, Organization for the Advancement of Structured Information Standards Inc. (OASIS) and the IEEE. "We're continuing to evaluate the Oath initiative and to date we have not decided to join," he said.

Oath's membership will grow to include users, according to Stephen Axel, vice president of global marketing at Aladdin Knowledge Systems Ltd. in Chicago and the head of Oath's marketing committee. "Oath is in its infancy," he said. "As we expand, we absolutely will be adding users as members" as Oath shifts its focus to expanding authentication standards beyond the current body of standards represented by public key infrastructure, 802.1x and the various flavors of Extensible Authentication Protocol.

IBM's Blakley said it should take approximately 18 months for Oath's OTP standard to emerge from the IETF. Oath doesn't consider itself to be an industry standard-setting body, according to Blakley.

"There are already enough standards organizations -- W3C, OASIS, IETF -- around in the industry to get the work of standardization done. We felt we needed a community of interest to get people together to agree on the problem and craft a solution," he said.

Meanwhile, Oath is busy considering its next standards proposals. Chief among them are the implementation and management issues for the HOTP algorithm, intended to be widely deployed in tokens, smart cards and any mobile device. Some Oath members also are beginning to ship OTP products based on Oath's proposed HMAC standard, which are intended to be interoperable.

Proactive Security

Stories in this report:

Security

It’s time to break the ChatGPT habit