View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
November 8, 2005

Liberty working on two-factor authentication standards

The Liberty Alliance Project standards movement has formed a working group to look at standards in the two-factor authentication space, a move especially relevant given recent security mandates in the US banking space.

By CBR Staff Writer

The new Strong Authentication Expert Group will develop an Identity Strong Authentication Framework, ID-SAFE, to address the business uses of two-factor authentication and then the technologies to address those challenges.

Roger Sullivan, Oracle Corp vice president and Liberty board member, said that defining business challenges comes first, and then the organization will look to incorporate existing standards that meet those needs before working on its own specs.

If I’m in a relationship with two parties and I strongly authenticate to one party, then my credentials are passed to the second party, but something goes wrong along the way, who is responsible for that? Sullivan said by way of an example of a business challenge.

Sullivan said that while the SAEG was formed three weeks ago at a Liberty meeting in Singapore, the organization has been thinking about these problems for some time. It was not a knee-jerk response to recent federal banking guidelines.

In October, the US Federal Financial Institutions Examination Council issued a mandate for online banks to require two-factor authentication for high-risk transactions by the end of next year, saying single-factor username/password authentication is inadequate.

One of the challenges for Liberty’s new SAEG is to figure out the best ways for banks to meet these regulations without creating too much of a burden on customers. Requiring USB tokens will turn off customers with older PCs without USB ports, for example.

If you create too-high barriers for customers you’ll turn them away at the door because it’s too hard to do business with them, Sullivan said.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The new group comprises Liberty members American Express, Axalto, BMC, Diversinet, Falkin Systems, Financial Services Technology Consortium, HP, Intel, Kantega, NEC, NTT, Oracle, RSA, US Department of Defense, Vodafone, VeriSign and Wave Systems

We’ll be in close coordination with other standards groups, so we are not redundant, said Sullivan. Liberty’s earlier work with federated identify cross-pollinated heavily with the SAML work going on in OASIS, he said.

Liberty has set itself a fairly aggressive timeframe, with a draft spec planned for publication mid-2006.

RSA and VeriSign, the two major one-time password token vendors in the group, both said that the SAEG’s work will be complementary to their own standardization initiatives.

VeriSign’s two-year old Initiation for Open Authentication, for example, promises a reference architecture for strong authentication across all devices and networks and, according to director of product management Kevin Trilli, could work with SAEG.

RSA’s One-Time Password Specifications, published earlier this year, could also prove useful to the Liberty initiative, according to Shannon Kellog, director of government affairs at the company.

RSA has published six OTP specs, the most recent of which, OTP-ValidationService provides a way for applications to talk to authentication servers when users log in, based on the protocol used in RSA’s Authentication Manager server.

Both RSA and VeriSign are targeting consumer banking with their next waves of authentication systems, and the chief executives of both companies have made references this year to an authentication network that could be likened to an A network.

Sullivan said that’s a good analogy, but said that rather than A networks plugging into Visa or Mastercard’s authentication systems, a hypothetical new authentication system would be more federated and decentralized.

He suggested a federation framework where users can opt-in to a federated relationship between their primary service provider [a bank maybe] and a secondary service provider [a stockbroker, perhaps].

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.