The organization, set up by VeriSign Inc almost two years ago, is likely to reveal plans to work on protocols for handling password validation and the like, possibly going over ground already trodden by RSA Security Inc, which is not a member.
The move comes shortly after the Liberty Alliance Project announced it was getting into strong authentication, and a few weeks after the US financial services industry received new two-factor authentication guidelines.
The US Federal Financial Institutions Examination Council in October said that online banks have until the end of next year to implement two-factor authentication on risky transactions, to combat identity theft.
Since then, and very likely before the FFIEC announcement, there has been a scurry of activity, as vendors prepare their consumer banking product launches and industry consortia get to work on standardization.
The FFIEC guidelines are clearly driving awareness of the challenges of strong authentication, said Wally Kowal, vice president of marketing at Diversinet and marketing spokesperson for OATH.
It’s unlikely that strong authentication will become ubiquitous unless there are open options, that its one of the barriers to adoption, said IBM Tivoli chief scientist Bob Blakely, head of OATH’s coordination committee.
The 2006 roadmap is still awaiting approval from OATH’s various member companies, but could be published soon. As such, nobody wants to get into specifics just yet.
Content from our partners
But Blakely said one of the areas OATH is looking at is the creation of specifications for password validation protocols – the language spoken when one computer asks another if a user-entered password is correct.
This is seen as a key point in authentication architectures that could use standardization. If authentication servers speak the same language, it could increase the competitiveness by allowing buyers to more flexibility on which user-side components they buy.
In fact, RSA has already published such a specification as part of its own One-Time Password Specifications initiative. The OTP-ValidatonService spec, published in May, was based on the protocols in RSA own Authentication Manager software.
Blakely said that OATH members have had very productive discussions with RSA about where the two efforts may overlap, and said that OATH does not intend to reinvent the wheel if it doesn’t have to.
That said, RSA has no intention of joining OATH any time soon, according to RSA Labs chief scientist Burt Kaliski. He said: If we thought our participation in OATH would be additive, we would have joined it.
Given that both OATH and RSA claim to be committed to openness and interoperability, and both claim that these principles will lead to a bigger market opportunity it’s not completely clear why they are not working more closely.
OATH was formed as part of VeriSign’s entry into the OTP token market, and was broadly seen as a challenge to RSA’s domination of the market, but has since swelled to about 50 corporate members from the vendor and user communities.
OATH released a sequence-based algorithm for generating one-time passwords in 2004, which has since been submitted to the IETF, and earlier this year released an architectural framework document for open authentication systems.
Neither OATH not OTPS are standards bodies. OTPS does not even have members. Rather, both intend to submit consensus specifications for development and ratification within the Internet Engineering Task Force and OASIS.
Also, Liberty, known for its work with federated identity, recently announced the formation of a Strong Authentication Expert Group to develop an Identity Strong Authentication Framework, ID-SAFE, to address the business and technology of two-factor authentication. It, too, said it did not want to duplicate work done elsewhere.
