One-Time Password (OTP)
RapidIdentity MFA provides support for OTP with tokens, cards, and smart phone applications available for free download from the Apple App Store, Google Play, and Windows Phone Store. The solution support standard OTP and push-notification with optional Apple TouchID support. The solution is based upon OATH’s TOTP time-based algorithm. Identity Automation supports OTP devices from third-party vendors that support OATH TOTP and HOTP. Identity Automation provides a turn-key OTP solution that includes the OTP device (physical or soft token), management system, and RADIUS server.
How OTP works with RapidIdentity MFA
A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that in contrast to static passwords, they are not vulnerable to replay attacks. This means that a potential intruder who manages to record an OTP that was already used to log into a service or to conduct a transaction will not be able to abuse it, since it will be no longer valid. On the downside, OTPs are difficult for users to memorize. Therefore, they require additional technology to work such as a token or application. OTPs are in common use throughout the world for remote access. OTP is considered one of the stronger forms of authentication. Many organizations consider the use of OTP when supporting remote users.
RapidIdentity MFA manages the lifecycle of OTP token seeds that are assigned to users; the token seeds are then associated with the user and a specific device, such as a token or mobile phone application. The common workflow for OTP is for the user to enter a six-digit code in conjunction with their username and an associated PIN. The codes are routinely entered in websites or VPN applications. The codes are generated on tokens or from within an application. Once validated, the user is permitted access to the application or website. RapidIdentity MFA does not support Windows or Shared Workstation logon with OTP.
With RapidIdentity MFA Ping Me the user does not need to copy the OTP code, they simply enter their username and optional password into a website, VPN, or at Windows logon. Once the username and optional password are verified RapidIdentity MFA Ping Me sends a push-notification to the user’s mobile device. The user reviews the information and chooses to approve is disapprove the logon request. RapidIdentity MFA Ping Me is integrated with Apple TouchID for simple out-of-band biometric authentication.