ForgeRock Blog

Two-factor authentication for mobile with OATH

Nearly all major vendors of smartphones and tablet platforms, such as Apple, Google, Microsoft, and Blackberry, support software tokens to provide an inexpensive yet secure way to perform two-factor authentication. The majority of these vendors leverage OATH HOTP for this service, and the fact that ForgeRock OpenAM supports OATH HOTP is a good reason to drill into this a little deeper.

Two-factor (or multi-factor authentication) is nothing new and is commonly found in various applications where the basic authentication process of providing just a password, a pin code, or the swipe of a card isn’t enough. The purpose of multi-factor authentication is to decrease the likelihood of the user successfully providing false credentials as evidence of his identity. The rationale goes, the more factors, the higher the probability a user who gets through is who he or she claims to be.

In the case of two-factor authentication, the two factors are typically something the user knows (such as the classic password, and some private identity details such as mother’s maiden name or first pet’s name) and something the user has (such as an access card or a cellular phone). A third factor might be something the user is, such as biometric facial data, a fingerprint, or voice characteristics.

Now, OATH (short for Open Authentication) is a collaborative effort of various members of the IT industry to provide a reference architecture for universal strong authentication across all users and devices over all networks. OATH is open and royalty-free, for anyone to implement and use. HOTP is short for HMAC-based One Time Password. The idea behind OATH is to reduce complexity and lower the cost of ownership by allowing customers to replace proprietary security systems, which are often complex and expensive to maintain.

ForgeRock OpenAM can be configured to support OATH-based HOTP for two-factor authentication. For the technically savvy who like to try things out, there is an easy to follow guide to configure OpenAM in this way. As a side note, OpenAM can also support TOTP or time-based one time passwords. Both TOTP and HOTP are standards described in RFC 4226 and RFC 6238.
There are a number of use cases where this added security comes in handy.

Self-service password resets

One of the most common problems users encounter is forgetting their passwords. They are then unable to log in at work or purchase goods and services. The traditional approach to addressing these issues is to leverage what are called challenge/response questions – a set of predefined or user-defined questions with answers to reset the password. In light of what people tend to share on social media sites, however, these types of questions typically introduce a weakness in the security perimeter. In fact, the U.S. Federal Financial Institutions Examination Council (FFIEC) and the U.S. Federal Deposit Insurance Corporation (FDIC) strongly caution financial organizations against adopting authentication methods that use personal information for authentication purposes. With OATH tokens, an easy second factor can be introduced, thereby mitigating some of the associated risks.

Accessing cloud applications via single sign-on

In the new and modern world without boundaries, moving freely between on-premise applications and off-premise cloud applications might lead to some sleepless nights for your company’s security experts. But introducing stepped up authentication with an OATH HOTP for accessing cloud apps could act as a precaution that lets the security experts sleep better at night.

Step up or risk-based authentication

Assume that, from within an application, you are accessing sensitive information or you are logging in using an unknown pattern (for example, from a different network or a new device). Providing a second authentication factor in this case again mitigates some of the risks, and OATH is a cost-effective solution to this problem.

To conclude, we have discussed what OATH is, and some of its typical use cases. OpenAM provides the necessary capabilities to implement a cost-effective two-factor (or multi-factor) authentication process that increases user or consumer acceptance of stronger authentication. OATH allows your organization to be compliant and to follow the guidelines set out by FFIEC, FDIC, and others, while reducing the risk and implications of identity theft. It does so by offering multiple factors of authentication, allowing users and consumers to more accurately prove that they are who they claim to be.