{"id":1669,"date":"2010-01-18T23:01:03","date_gmt":"2010-01-19T04:01:03","guid":{"rendered":"http:\/\/www.coresecuritypatterns.com\/blogs\/?p=1669"},"modified":"2020-08-08T04:19:15","modified_gmt":"2020-08-08T04:19:15","slug":"web-sso-with-one-time-passwords-via-mobile-sms-and-email","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2010\/01\/18\/web-sso-with-one-time-passwords-via-mobile-sms-and-email\/","title":{"rendered":"Web SSO with One-time Passwords via Mobile SMS and Email"},"content":{"rendered":"

With increasing incidents of online frauds through username\/password compromises and stolen\/forged identity credentials – Strong authentication using multi-factor credentials is often considered as a  defensive solution for ensuring high-degree of identity assurance to accessing  Web applications. Adopting multi-factor credentials based authentication has also become a most common security requirement for enabling access control to critical online banking transactions and to safeguard online customer information  (Mandated by FFIEC authentication guidelines<\/a>). One-time Passwords using Tokens, USB dongles, Java Smartcards\/SIM cards, Mobile Phones and other specialized devices has become the most simplest and effective option that can be easily adopted as the “second-factor credential (Something I have)” for strong authentication solution.   Although…and there is a myriad ways to create one-time passwords, the overwhelming developer issue is to make it to work by readily integrating it with existing applications and further enabling them for use in Web SSO and Federation scenarios.<\/p>\n

One-time Password (OTP) Authentication using OpenSSO<\/h2>\n

The One-time password (OTP) is commonly generated on a physical device such as a token and is entered by the user at the time of authentication, once used it cannot be reused which renders it useless to anyone that may have intercepted it during the authentication process.<\/p>\n

Sun OpenSSO Enterprise 8.x<\/strong> offers a ready-to-use OTP based authentication module that allows to deliver One-time passwords via SMS (on Mobile phones) and Personal email<\/em><\/strong> or combination of both. OpenSSO implements Hashed Message Authentication Code (HMAC) based One-time password (HOTP)<\/strong> algorithm as defined in RFC 4226 <\/a>– an IETF – OATH (Open Authentication) joint initiative. The HOTP is based on HMAC-SHA-1 algorithm – using an increasing 8-bit counter value and a static symmetric key that is known to the HOTP generator and validation service.  In a typical OpenSSO deployment, the HOTP authentication module is configured to work as part of an authentication chain that includes a first-factor authentication (ex. Username\/Password authentication with LDAP, Datastore). This means that atleast one of the existing authentication must be performed successful before commencing HOTP authentication.<\/p>\n

Try it yourself<\/h2>\n

To deploy OTP for Web SSO authentication, all you would need is to have OpenSSO Enterprise 8.x and configured up and running…. and then follow these steps:<\/p>\n

    \n
  1. Login to OpenSSO Administrator console, select the “Access Control” tab, select your default “Realm”, select “Authentication”. Click on “Module Instances” and click on “New” to create a Module instance. Assign a name to the module instance (ex. HOTP) and select “HOTP” as type.<\/li>\n
  2. Configure the HOTP authentication module properties.  You need to identify the values for Authentication Level, SMTP Server (Access credentials including host name, port, username, password), One-time password validity length (Maximun validity time valid since creation and before OTP expires), One-time Password length (6 or 8 digits), One-time Password Delivery (“SMS” or “Email” or “Both” to receive SMS and Email).\n