RSA Security Releases One-Time Password Specs

Will international standards for one-time password technologies be the catalyst for deployment and adoption of stronger authentication in enterprise applications? RSA Security believes it will.

SAN FRANCISCO—Looking to kick-start corporate adoption of OTP (one-time password) technologies, RSA Security on Wednesday announced plans to release six open specifications for public review and consultation.

The company used the backdrop of its RSA Security 2005 conference here to spell out plans to submit the specifications to the IETF (Internet Engineering Task Force) and OASIS (Organization for the Advancement of Structured Information Standards).

According to Jason Lewis, vice president of product marketing at RSA Security Inc., the creation of international standards around one-time password technologies is key to jump-starting deployment of strong authentication into enterprise applications.

"These specs cover the whole lifecycle of creating one-time password credentials. They cover password provisioning through the retrieval, transport and validation process," Lewis said in an interview with

The absence of industry standards has limited the use of OTP technology in corporate settings. Typically, OTP technology is used to generate a series of passwords to log on to a specific system. Passwords generated can only be used once because the log-in mechanism will always expect a new one-time password at the next logon. This, according to security experts, eliminates the possibility of replay attacks.

According to Lewis, the creation of international standards will make it easier to integrate OTP technology into a variety of business applications.

Technical details of the first five open specifications have been posted online and Lewis said RSA Security plans to further develop the specs through mailing list discussions and industry-wide workshops.


Click here

to read the article: TriCipher Ships Multipart Authentication System.

Software vendors supporting the initiative include Microsoft Corp., Adobe Systems Inc., Check Point Software Technologies, Juniper Networks Inc. and Cisco Systems Inc.

Lewis said the release of the specifications build on RSA Securitys pioneering work in setting industry-wide standards like the PKCS (Public Key Cryptography Standards), SAML (Security Assertion Markup Language) and Web Services Security: SOAP Message Security.

In the past, OTP password technologies have been limited to end-user devices (tokens) that are not connected to the network or to a client. While that approach has gained traction in some businesses, Lewis said enterprises are interested in supporting OTP tokens in connected environments.

Several of the new OTP specifications are focused on support for connected tokens, while others are relevant to both connected and disconnected tokens.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.