OATH, Strong Authentication, and What it Means

If you’ve been reading up on the options for two factor authentication chances are you’ve come across the term “OATH-compliant” or “Based on the OATH standards”.  In this blog post I will explain in plain English what OATH means, what it stands for, and why it’s so important.

ADFS for MFA banner 240x400 OATH, Strong Authentication, and What it MeansWhat is OATH?

Slide2 HOTPin Background.fw  300x132 OATH, Strong Authentication, and What it MeansThe Initiative for Open Authentication (OATH) is an industry collaborative effort to develop a reference architecture, using open standards to promote the adoption of strong authentication.  The goal is to remain vendor neutral and to develop products and technologies that will decrease cost, simplify use, and increase adoption of two-factor authentication.

The OATH standard, at a basic level, describes implementation of a core set of authentication credentials.  These credentials are:

  • One Time Password (OTP) -based authentication
  • Public key infrastructure (PKI) -based authentication (using X509.v3 certificate)
  • Subscriber identity module (SIM) -based authentication (using GSM/GPRS SIM)

Why Should We Care About OATH?

The OATH standard was designed to enable strong authentication to systems, devices, and networks in a cost-efficient manner, without the need for vendor lock-in or reliance on a single vendor for all your authentication needs.  Simply put, anyone can create products and authentication services based on the OATH standard, which helps to ensure uniformity and interoperability with other products.

By using authentication systems based on the OATH standards, organizations can (and should) easily implement two-factor authentication for a wide variety of services, using common standards and in-place identity management solutions, such as Active Directory and RADIUS infrastructures.

Furthermore, because the OATH standard has been ratified in a series of IETF RFCs, organizations have the ability to examine how OATH compliant systems are developed and implemented, provide recommendations, and determine weaknesses and strengths for their own implementations.  Contrasted with vendor-developed and closed-sourced solutions, which can be black box implementations and insecure, OATH systems are open for inspection.

Lastly, because OATH-based solutions can be compatible, migration between products becomes much simpler, and can leverage a much larger range of devices for OTP generation, such as YubiKey, and even sharing of hardware tokens between vendors.

Where and how do we use OATH?

The most common areas to use two-factor authentication are the areas that expose the most risk to external unauthorized users, or for critical systems.

From the application side, organizations should evaluate the feasibility of adding OATH compliant strong authentication to the following types of systems:

  • Remote Access VPN Solutions
  • Web Application Publishing Platforms, such as web reverse proxies
  • Federation Servers for Web Single Sign On (SSO)
  • Cloud based software applications

Implementing a two-factor authentication solution based on OATH does not mean that you need to replace what your current directory based authentication solution, whether it be Active Directory, OpenLDAP, or another solution.  What we recommend is strengthening the security of your applications with an additional authentication process or check.

From the user side, the goal of OATH is to make the use of user authentication, whether it be based on x.509 certificates or one-time passwords, as simple and ubiquitous as possible.  One of the foundational goals is to leverage devices that users typically have, such as a laptop or smartphone, enabling them to be used to generate an OTP without the need for the user to carry an additional token. Most implementations of OATH leverage smartphones for generation of the One-Time Passwords (OTP).

Sources:  http://www.openauthentication.org/files/download/oathPdf/AnIndustryRoadmapforOpenStrongAuthentication.pdf