Eliminate Passwords With OATH

Tuesday Jan 11th 2005 by Brian Livingston

Someday soon, you'll be able to forget your passwords and still access all the secure servers you use now. Our Executive Tech columnist reveals why.

Someday soon, you'll be able to forget your passwords and still access all the secure servers you use now. In fact, no one will have to remember any passwords at all.

That's the future that's quietly being developed by an important but little-known organization called OATH, the Initiative for Open Authentication.

This group — which includes such powerful high-tech players as IBM, Verisign, and the Smart Card Alliance — promises to change forever the way we use computers and networks.

Managing Passwords vs. Eliminating Passwords

In my last two columns, on Dec. 14 and 21, 2004, I described some competing approaches that offer ways to cope with the problems passwords pose:

Storing A Fistful Of Passwords. Pass2Go is a new breed of software that you install onto a USB Flash drive. The program uses a "master password" to protect all of the username/password combinations that you tell it. Then, when you're using a strange computer at an Internet café or library to access a secure server, you insert your USB device into the computer's USB port and type your "master password" to access the hidden password strings. This method is flawed, however, because you can't guarantee the public PC isn't infected with some Trojan horse that could capture your passwords.

Carrying An Authentication Device. For better security, Verisign and other companies are beginning to sell USB "keys" that don't store static passwords. Instead, the devices display a different one-time password (OTP) every time you need to log in to a distant computer. For even stronger protection, the remote server can pose to the USB device a mathematical puzzle. This process, known as challenge/response authentication, can only be satisfactorily completed by one particular USB key.

Unifying The Pieces. USB ports are very common on PCs these days, and USB Flash drives are small enough to place on a key ring or even within a wristwatch, so it wouldn't be hard to carry such a thing around with you. But what if you need to access several remote servers at different times? Many people need to log on to more than one bank account, corporate host, or brokerage firm. Will you need to lug a half-dozen USB devices with you everywhere?

To answer questions such as these, OATH issued a charter in Denver, Colo., on Oct. 26 that represents a technical commitment by its 30-some members. You may or may not like the solutions they're coming up with to render passwords obsolete, but you'll have to admit that the group's goals are breathtaking.

The Total Elimination Of Passwords

"I would like the elimination of static passwords," says Bob Blakley, the chairman of OATH's joint steering committee. "The burden of authentication is going to move off the client computer and move onto a device that is much smaller and more intimately involved with a human being. It might be a USB token, it might be a cell phone, it might be a wristwatch."

In his real job, Blakley is chief security and privacy scientist for IBM, one of OATH's founding members. He's come to believe that networks, including the Internet, can't be used securely until the establishment of two-factor authentication — the possession of some physical object that proves one's identity, along with a password or PIN.

"One [factor] is a physical thing that you'll notice if it goes missing," such as your keychain or cell phone. "And it can't do the same thing every time." That's because static passwords are too easily guessed at or eavesdropped on. By contrast, there are many pocket-sized electronic gizmos today that are smart enough to give a different, valid answer to a remote server every time.

Many Ways To Solve A Single Problem

Devices with enough memory to handle one-time passwords and challenge/response authentication methods include "smart cards" with digital circuitry and PDAs (personal digital assistants) such as Palms and Pocket PCs.

Most consumers don't carry any of those devices, however. So the focus of two-factor authentication has necessarily moved to devices that can be given out cheaply — such as $10 USB Flash drives — or tools already owned by a broad range of consumers, such as smart phones.

Stu Vaeth, chief security officer of Toronto-based development firm Diversinet, is deeply involved in creating software small enough to fit on USB keys and higher-end cell phones. As a member of an OATH technical committee, he played a role in the group's first major accomplishment: the publishing in October of a formal standard for the calculation of one-time passwords.

"The heart of it," Vaeth says, "is agreeing on an algorithm that the client and server can use."

The current version of software that Diversinet has developed to implement OATH's proposed OTP standard requires only 64 to 128 KB of disk space to install and no more than 45 KB to run, according to Vaeth. That's more storage than you find on a basic cell phone today, but it's an amount that's easily available on almost any programmable smart phone, PDA, or USB drive.

One-time passwords would be useless to any hackers who successfully eavesdropped on a computer session. As a result, OTP will probably be the first part of OATH's vision to be widely adopted to strengthen authentication. But Vaeth expects that other approaches OATH is considering will also be formally proposed to Internet standards bodies soon. Those approaches include challenge/response authentication, in which a remote server establishes a communications session to verify the physical device a user is carrying, and PKI (public key infrastructure), involving the deployment of hard-to-fake digital signatures.

Each of these schemes, OATH members believe, can be implemented in such a way that any compliant device could be used to authenticate any user. That means you wouldn't have to carry around a half-dozen googaws — just one would be enough to prove to a server that you are who you say you are.


OATH's proposals, if fully adopted, would mean big changes for end users who can now simply type in their e-mail address and their dog's name to access everything from their local bank to their corporate headquarters.

Big changes may be just the thing we need, though. Virulent hacker attacks are spreading wildly and rampant identity fraud is exploding geometrically, disrupting consumers and enterprises alike. So installing a tiny authentication program onto USB keys, cell phones, or whatever a company's employees happen to have is a small inconvenience that should be welcomed with open arms by users who never liked memorizing passwords in the first place.

For information on OATH's big plans, visit OpenAuthentication.org.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved