As part of a plan to increase the use of strong authentication in the enterprise, RSA Security Inc. has released five specifications for various One-Time Password (OTP) methods, and plans to turn them into open standards.
OTP is considered a strong way of protecting corporate resources, but so far hasn’t seen wide adoption because of a lack of open standards. RSA’s specifications are designed to make it easier to integrate OTP protection into enterprise software — companies and vendors will potentially be able to adhere to a common standard instead of having to place their bets on a proprietary system.
“Standardization on common integration methods… ultimately benefits businesses worldwide as they adopt strong authentication throughout enterprises and in online commerce,” said Victor Chang, RSA’s vice president of technology.
OTP involves the use of a password that changes every time the resource is accessed. Today it most often involves the use of hardware devices called tokens that aren’t connected to a network or a client — the user reads the password from a display and enters it into a client. More recently companies are also using tokens connected to the client, by USB for example. RSA’s specifications relate to both the connected and disconnected approaches, and support methods including time-synchronous, event-synchronous and challenge-response.
RSA plans to follow a process it has used in the past, when it introduced specifications for standards such as such as Public Key Cryptography Standards (PKCS), the company said. It is publishing the five specification documents (soon to be joined by a sixth) on its Web site for public review and feedback, and will develop the documents further through mailing list discussions and workshops, RSA said.
The specifications will be submitted to the relevant standards bodies, including the Internet Engineering Task Force (IETF) and the Organization for the Advancement of Structured Information Standards (OASIS), RSA said. One document, the EAP-POTP specification, is already being reviewed by the IETF.
The documents are designed to address the key issues related to OTP management and integration, covering the whole OTP lifecycle, including creation, storage, proving and leveraging OTP credentials, RSA said. They fall into the three areas of credential provisioning, retrieval, and transport and validation.
The specifications are designed to integrate with existing technology — the One-Time Password Web Services Security Token and OTP-Validation Service work with Web services protocols, and Protected One-Time Password (EAP-POTP) works with protocols using EAP, including PPP, 802.1X, IKEv2, RSA said.
RSA has supported the introduction of previous open standards including PKCS, Security Assertion Markup Language (SAML) and Web Services Security: SOAP Message Security. IT companies including Adobe, Check Point, Cisco and Microsoft said they would work with RSA on the specifications.