With increasing incidents of online frauds through username/password compromises and stolen/forged identity credentials – Strong authentication using multi-factor credentials is often considered as a  defensive solution for ensuring high-degree of identity assurance to accessing  Web applications. Adopting multi-factor credentials based authentication has also become a most common security requirement for enabling access control to critical online banking transactions and to safeguard online customer information  (Mandated by FFIEC authentication guidelines). One-time Passwords using Tokens, USB dongles, Java Smartcards/SIM cards, Mobile Phones and other specialized devices has become the most simplest and effective option that can be easily adopted as the “second-factor credential (Something I have)” for strong authentication solution.   Although…and there is a myriad ways to create one-time passwords, the overwhelming developer issue is to make it to work by readily integrating it with existing applications and further enabling them for use in Web SSO and Federation scenarios.

One-time Password (OTP) Authentication using OpenSSO

The One-time password (OTP) is commonly generated on a physical device such as a token and is entered by the user at the time of authentication, once used it cannot be reused which renders it useless to anyone that may have intercepted it during the authentication process.

Sun OpenSSO Enterprise 8.x offers a ready-to-use OTP based authentication module that allows to deliver One-time passwords via SMS (on Mobile phones) and Personal email or combination of both. OpenSSO implements Hashed Message Authentication Code (HMAC) based One-time password (HOTP) algorithm as defined in RFC 4226 – an IETF – OATH (Open Authentication) joint initiative. The HOTP is based on HMAC-SHA-1 algorithm – using an increasing 8-bit counter value and a static symmetric key that is known to the HOTP generator and validation service.  In a typical OpenSSO deployment, the HOTP authentication module is configured to work as part of an authentication chain that includes a first-factor authentication (ex. Username/Password authentication with LDAP, Datastore). This means that atleast one of the existing authentication must be performed successful before commencing HOTP authentication.

Try it yourself

To deploy OTP for Web SSO authentication, all you would need is to have OpenSSO Enterprise 8.x and configured up and running…. and then follow these steps:

1. Login to OpenSSO Administrator console, select the “Access Control” tab, select your default “Realm”, select “Authentication”. Click on “Module Instances” and click on “New” to create a Module instance. Assign a name to the module instance (ex. HOTP) and select “HOTP” as type.
2. Configure the HOTP authentication module properties.  You need to identify the values for Authentication Level, SMTP Server (Access credentials including host name, port, username, password), One-time password validity length (Maximun validity time valid since creation and before OTP expires), One-time Password length (6 or 8 digits), One-time Password Delivery (“SMS” or “Email” or “Both” to receive SMS and Email).
   • 

     Configuring HOTP Authentication Module Properties

      

3. Configure an Authentication Chain that includes HOTP authentication module with any other authentication module (ex. Datastore, LDAP). You may note HOTP authentication cannot act as primary authentication since it HOTP authentication does not identify the user profile, so it must be combined with an authentication module that identifies the calling user identity. To create an authentication chain… goto the OpenSSO administrator console, select “Access Control”, Goto “Authentication Chaining”, click on “New”, assign a name to the authentication chain (ex. Two-factor”) and the choose “HOTP” module instance and select “Required”.
   • 

     Configuring the Two-factor authentication chain including HOTP

      

4. Now the OpenSSO One-time Authentication Module is ready for use as par of “Two-factor” authentication chain.
5. Create an User Profile that identifies the user’s “Telephone Number” attribute with the Mobile Phone Number appended with the SMS Gateway domain.
   • For example:
     • AT&T (USA) :  YourPhoneNumber@txt.att.net  (178199931234@txt.att.net)
     • SprintPCS   :   YourPhoneNumber@messaging.sprintpcs.com
     • T-Mobile  :     YourPhoneNumber@tmomail.net
     • Virgin Mobile:  YourPhoneNumber@vmobl.com
     • Verizon: YourPhoneNumber@vtext.com
     • Metro PCS: YourPhoneNumber@MyMetroPcs.com
     • For a complete list of Email to SMS Gateways refer to: http://www.mutube.com/projects/open-email-to-sms/gateway-list/
6.  Test drive the configured One-time Password based SSO authentication, by accessing the URL of the configured “Two-factor” authentication chain as follows:
   • http://openssoserver:port/opensso/UI/Login?service=Two-factor
7. As a result, you will be prompted to perform username/password authentication and then followed by HOTP. To deliver One-Time Password, click “Request OTP Code”, the One-time password will be delivered to your Mobile via SMS and also via email (provided in your User profile).

   • 

     One-time Password based SSO

   • As verified using my Blackberry…the OTP showed up as follows:    

Adopting to One-time Pasword based authentication credentials certainly helps to defend against many illegitimate access using compromised user credentials such as Passwords, PIN and Digital certificates.  Using OpenSSO based OTP authentication is just a no-brainer… try it for yourselves, I am sure you will enjoy !