Industry coalition plans interoperability program
Initiative looks toward certification plan
- By William Jackson
- Mar 04, 2010
SAN FRANCISCO — The Initiative for Open Authentication, an industry coalition promoting the use of open standards for interoperable strong authentication, used its annual meeting at this week’s RSA Security Conference to discuss plans for an interoperability certification program. The group, usually called OATH, considers interoperability one of its key focuses, said Don Malloy, the institute's marketing chief and director of business development for Nagra ID Security SA.
The coalition has been working on the program for about six months and expects to launch it in another six, and will be restricted to members of the institute. Common architectures and specifications do not necessarily mean that implementations by different vendors will work with each other, and the goal of the program is to ensure that any back-end authentication system will be able to work with any of the institute's schemes or algorithms.
The institute was organized five years ago to make the use of strong, two-factor authentication simpler and more widespread, increasing security and making it easier to conduct sensitive online transactions. It has produced a reference architecture based primarily on existing standards with a goal of making authentication schemes interoperable across networks and vendor platforms. One of the organization’s guiding principles is that open architectures rather than proprietary solutions are required for the widespread adoption of a technology.
Strong authentication usually involves the use of an additional factor, such as a physical token, digital certificate or biometric template, in combination with the user name and password typically required to verify the identity of an online user. There are a number of protocols and technologies that allow this, such as Lightweight Directory Access Protocol and Remote authentication dial-in user service. But strong authentication schemes often have been complex and not interoperable, creating stovepipe applications. Governmentwide standards such as those for the Defense Department’s Common Access Card and the civilian counterpart the Personal Identity Verification card can help implement strong authentication using digital certificates in the government arena but do not address the issues of interoperability outside of the government and its contractors.
The interoperability program will address who interfaces are defined and will require the ability to import and export certificates and other attributes in the appropriate formats. It probably will rely primarily on self-certification, with company products being selectively tested by an outside lab, Malloy said. “We will not be doing a full certification testing.”
The group’s membership includes most of the major U.S. token vendors except for RSA, and its membership varies from 65 to 70 members. Malloy said a large part of the membership growth recently has been in South America and Asia. “Many of our vendors are coming from those areas,” he said.
Adoption of the coalition’s architecture has been slow since announcement of the initial release at the RSA Security conference in 2004, and the greatest traction has come from the financial services industry, particularly in Asia and South America. That is partly because many American institutions have been reluctant to spend money on new systems during bad economic times, and because phishing and online fraud is rampant in some South American countries, said Johan Rydell of the institute and PortWise, an access control vendor.
One of the organization’s recent technical efforts is the OATH Challenge-Response Algorithm, or OCRA, an interactive scheme that requires someone trying to log in to an online system to enter a response to a challenge that the software generates. Because authentication requires the proper challenge generated from the user’s log-in, and the proper response to the challenge, it authenticates both the user and the system he or she is logging into.
Challenge-response is being widely adopted in South America but has been slow to catch on in this country, said Malloy, whose company makes a display card with a contactless chip and a flexible touch screen that can be used for challenge-response.
“Americans love convenience and hate extra steps,” he said. “It’s an educational process. I think as time goes on it will be accepted.”
William Jackson is a Maryland-based freelance writer.