Open Specification for Validating One-Time Passwords Released

RSA Laboratories, the research center of RSA Security Inc., today announced the release of a sixth specification related to the integration of one-time passwords with enterprise applications and infrastructure, as well as consumer technology applications. The new specification -- OTP-ValidationService -- is the latest installment of the One-Time Password Specifications (OTPS) initiative, launched in February 2005, which aims to address organizations' needs to more broadly leverage one-time password (OTP)-based solutions. OTPS also provides a framework for companies to easily and cost-effectively integrate one-time passwords within their technology environment.

The OTP-ValidationService specification -- available for public review and comment -- will help standardize the process of validating an OTP credential. This, in turn, will encourage vendors to support one-time passwords and enable organizations to leverage OTP-based solutions more broadly. More specifically, OTP-ValidationService defines an XML request/response protocol intended for use by relying parties that receive OTP authentication data to make queries to validation services to determine whether the received data successfully demonstrates a user's authenticity.

"The OTPS initiative will help enhance customers' ability to integrate one-time passwords with various technology systems and applications, which will also help to protect companies' existing investments in OTP-based solutions," said Burt Kaliski, chief scientist, RSA Laboratories. "By focusing on standardizing the integration of all types of one-time passwords, we hope to foster continued OTP innovation and promote algorithm agility. This helps to ensure customers' technology systems are flexible, maintain security and adapt to changing requirements over the long term."

Open Workshop Scheduled for May 2005

As part of the industry collaboration around OTPS, RSA Laboratories will be hosting an open technical workshop May 24-25, 2005 in Burlingame, California. This meeting will provide members of the technical community with an opportunity to review the OTPS documents, provide feedback and discuss technical details related to the specifications. This technical meeting is open to all interested parties. Further information may be obtained by visiting http://www.rsasecurity.com/rsalabs/otps.

About One-Time Password Specifications

OTPS is an open, industry-wide initiative, which aims to standardize the integration of various OTP methods -- e.g., event synchronous, time synchronous, and challenge response -- into enterprise applications and infrastructure, as well as consumer technology applications. OTPS focuses on provisioning token secrets, retrieving one-time-passwords from tokens, transporting them to applications and authentication servers, and validating one-time passwords. Because the OTPS framework is OTP-method independent, the specifications are intended to operate with any OTP algorithm. The OTPS initiative is open to all interested parties; there are no membership requirements or other agreements required to participate. More information and draft specifications are available online.