IQ Online
**
*[Advanced Search]*
The Smart Approach to Designing with the ARM" Architecture
*
*
Intelligence Technology In-Depth special Design Strategies and Methodologies Consumer Lifestyles Market Watch Tools of the Trade Developer Resources
*
* Home > IQ Online News > Industry & Business
*
*
  Right navigation arrow Home
*
  Down navigation arrow IQ Online News
*
  Right navigation arrow A Week at a Glance
*
  Right navigation arrow ARM News
*
  Right navigation arrow ARM Partners' News
*
  Right navigation arrow Industry & Business
*
  Right navigation arrow News Archive
*
  Right navigation arrow IQ Print Version
*
  Right navigation arrow ViewPoint
*
  Right navigation arrow Partners
*
  Right navigation arrow About IQ Online
*
*
*
*
Industry & Business - Secure
*


13 December 2005

OATH Members Endorse Open Mutual Authentication

OATH members have submitted a challenge/response internet-draft for mutual authentication to the Internet Engineering Task Force (IETF).

The challenge/response internet-draft is a milestone on OATH's recently published 2006 technology roadmap released last month, and was completed ahead of schedule due to the cooperative efforts of OATH members Diversinet, PortWise and VeriSign, the organisation said.

The OATH-promoted algorithm is multi-faceted, built on values from a unique password, event trigger, static key, and challenge. This algorithm is then used to create one-time passwords and challenge-responses between two parties, such as a user and a website, resulting in mutual authentication. Mutual authentication goes beyond two-factor authentication, ensuring that both the user and the other party (e.g., website) are valid.

The algorithm is based on a shared secret transformation using random numbers, digest, and hashing technologies. The challenge / response process requires that the server side send the client a "challenge" which the client uses along with the shared secret as the key in the transformation. The resulting number is called the "response" and is sent back to the server. Mutual authentication is especially effective for online banking and financial services applications as it offers a mechanism to demonstrate the authenticity of an institution's website as well as to validate the user, which guards against "phishing."

"The OATH-promoted algorithm will help protect individual users from identity attacks that lead to transaction fraud, and adheres to new guidelines recently issued by the Federal Financial Institutions Examination Council (FFIEC)," said Stu Vaeth, Chief Security Officer, Diversinet and co-chair of the OATH Technical Focus Group.  "The challenge/response algorithm is a natural addition to the initial HOTP algorithm released by OATH earlier this year, and will broaden the authentication choices available to customers."

FFIEC recently released guidance to the financial services industry on risks and controls required to authenticate the identity of customers accessing Internet-based banking and financial services applications. The guidance reflects multiple legal, policy and technology issues to better protect customer information, guard against increased identity theft and
fraud, and to reflect new authentication technologies available to provide risk mitigation strategies.  The development of the new OATH algorithm for challenge/response addresses the mutual authentication guidance for online banking security from FFIEC.

OATH-compliant solutions are used to address security threats such as identity theft, phishing, internal security breaches and government compliance requiring a stronger level of authentication than usernames and static passwords. 

The Initiative for Open AuTHentication (OATH) is a collaboration of device, platform and application companies, and end user customers of authentication technologies. ARM is one of a number of OATH members.
*
« Back
*
*
Privacy Policy | Legal Statement | Site Map