An OATH token is a secure one time password that can be used for two factor authentication. The first factor is something you know (a password, mother's maiden name, the whereabouts of Jimmy Hoffa) while the second factor is something you have (a smartphone, email address, etc.). The OATH token is sent to something you have as a one time password to increase security in authentication.
The OATH encryption algorithm is an open source standard and, as such, is widely available. EmpowerID ships with an OATH server to encrypt the OATH token while clients such as Google Authenticator are free and widely available for smart phones and tablets.
When the OATH server is combined with a sophisticated Identity & Access Management platform like EmpowerID, it opens up a wide range of uses for multi factor authentication. You don't have to broadly apply the increased level of authentication across all use cases; rather, you can choose the resources or users/roles that require enhanced security and apply two factor authentication strategically.
Since EmpowerID ships with multi-factor authentication as part of the base platform, we see a lot of use cases on how organizations apply OATH tokens.
Self service password reset - When users are locked out or forget their passwords, you need an additional means of verifying their identity. The traditional method is a series of knowledge based questions (mother's maiden name, eye color, etc). However, since most of this information can be gleaned from social media profiles, an OATH token as a second factor is almost mandatory to determine the user's identity.
Step up authentication - Once your users are already authenticated, you may want to increase the level of security based on what they are accessing. An example of this is when your user is attempting to access the financial reports for the 10K report. They have already entered their username and password, but you want to have that second factor for both security and auditing reasons when they access a resource with a higher security level.
Single sign on to cloud applications - This use case is similar to the previous step up authentication, but is more broadly applied. If you are offering single sign on (SSO) to internal applications, you might want to step up the authentication before leaving the network to access cloud applications. This extra level of authentication coupled with Federation or Web Access Management keeps your SaaS applications doubly secure and your CISO happy with precautions you are taking with the cloud.
Admin or executive accounts -I have always found it interesting that the users with the highest privileges tend to get away with the lowest security -- admins because they control security and CxOs because they sign the admins' checks. These are exactly the users who should have multi factor authentication and OATH tokens are a fairly innocuous way to deliver that security. Plus, it gives them a chance to look at their phones in meetings!
After x number of incorrect authentication attempts - This use case requires a fairly powerful workflow based IAM platform like EmpowerID that can re-route the authentication requirements based on calculations or an algorithm. This can be applied to any of the use cases above but is especially useful to prevent hacking attempts.
OATH tokens as second factor authentication are incredibly useful but it's more than just spinning up an OATH server. It needs to be integrated in with your IAM platform to be able to strategically and surgically apply its extra level of security and protection. If you roll it out en masse, you will have a user revolt. If you apply it in a way that makes sense to the users without an undue burden on them, you win and security wins.
EmpowerID's extensive and customizable visual Identity Management workflows have multiple second factor authentication shapes out of the box, allowing you to simply select a template, configure it for the use case you need and get the most out of OATH and two factor authentication.
Tags: Password management, Identity and Access Management (IAM)