A one time password or OTP is used in addition to a static PIN number to form the two factors of two-factor authentication. An OTP is typically generated by a token which is in the possession of a user and it generally has a time to live (TTL) of one usage or limited to a period of time.
Celestix HOTPin is based on IETF RFC 4226.
HOTPin users authenticate themselves to the system by proving that they possess a shared secret. This shared secret is the key used in the HOTP algorithm. The key is a 128 bit random number generated by the server when a client token is created. It is downloaded to the client software application when the client is provisioned. Only the server and the client software know the key and keys are unique among all of the registered users so proving that one possesses the key is equivalent to proving that you are the user assigned to that key. The key itself is never divulged even to the user or server system administrator, what the user is proving is that they possess the key not that they know the key's value.
The authentication trick is that you must prove that you have a shared secret without transmitting the secret itself across the network. HOTPin does this by using the secret key to encrypt a counter. The result of this encryption is a block of apparently random bits. The HOTP algorithm extracts some of these bits and creates a unique One-Time Password (OTP). It is this OTP that is transmitted across the network to prove that the user possesses the shared secret. The server also knows the key and the counter value so it too can generate the same OTP. If the server and client both generate the same OTP value then they must share the same key and counter.
No, once the client software is provisioned with a key it operates autonomously and does not communicate with the server. To log in using HOTPin, the user must start the client application and generate an OTP. The user then copies the OTP manually into the login portal page along with a personal identification number (PIN). The two factors of the authentication are the PIN and the OTP which prove that the user possesses the HOTPin key.
HOTPin consists of two components, the server and the tokens. The server side deployment consists of either a purpose built appliance or a software version that can be deployed on Windows Server 2008 R2.
HOTPin provides organizations the ability to select the broadest range of token form factors. These are listed as follows
In client mode HOTPin generates an OTP via a soft token that can be installed and run on all major smart device, tablet and PC end points.
In clientless mode, HOTPin leverages the GSM network to issue an OTP as a text message that is sent to the user. This option provides true out of band (OOB) authentication. The system is capable of issuing OTP in advance which can be stored on the device for subsequent use even if the user is out of network coverage.
In hardware mode, HOTPin offers a physical, event based token that generates an OTP when initiated by the user.
The HOTPin server can import and synchronize users with and from Active Directory. In addition, HOTPin allows for the administration of a local user repository, independent from AD.
HOTPin and SecurID both meet the need for two-factor authentication, but they do it in different ways.
HOTPin is an event based solution, meaning that the user has to initiate an OTP each time they wish to authenticate. With SecurID the token is always on and generates a new OTP every sixty seconds. This causes three potential issues.
HOTPin addresses these key concerns. By providing the ability to deploy both soft tokens and leverage the GSM network for OTP delivery, there is no need to deploy hardware tokens. This reduces initial costs of procurement and provisioning to users in the field. Ongoing costs are reduced because HOTPin does not rely on hardware tokens with a finite battery lifespan.
HOTPin is an event based solution and so can still fall out of synchronization with the server. However, the system allows for a customizable grace period to accommodate such instances. In addition, a self-service portal is available as standard to allow for user resetting and account management.
HOTPin can prevent unauthorized users from generating an OTP by enforcing the input of a PIN number before the soft token can present the OTP on screen. An added benefit of running HOTPin as a soft token is that users typically realize quickly if they have lost their device. This allows for a more rapid response to the instance of a lost token and so reduced any window of vulnerability.
RSA stores the seed and device serial numbers in a master database. In the event of a breach as happened in March 2011, an attacker might gain access to the database allowing them to masquerade as a legitimate user because they hold both the user ID and the algorithm for generating the OTP.
It is possible to integrate any OATH compliant, event based token with the HOTPin server. This requires the import of the hardware token PSKC files into HOTPin. In this instance HOTPin is able to operate as the primary authentication server for both HOTPin and non-HOTPin authentication requests.
Celestix does not recommend convenience over security but we do recognize the need for some organizations to offer a simplified log in experience for certain user types. To that end, HOTPin offers a virtual keyboard option that can be integrated with the remote access gateway. This solution allows the user to input their PIN into an on-screen keypad and so prevents the need to carry a distinct token of any type.
HOTPin server includes an embedded RADIUS server, allowing for simple integration with any RADIUS based access or perimeter technology. Celestix has published integration guides for all major gateway solutions. If the gateway solution is Microsoft UAG 2010 then HOTPin includes an agent that can be installed on UAG to provide an even easier integration process. In addition, the HOTPin agent for UAG also supports web-SSO for seamless login to Outlook Web Access and other Microsoft applications.
HOTPin authentication server is available at a fixed priced and requires the procurement of an annual maintenance fee.
User licensing is per registered user and is enforced on the server. One major benefit of HOTPin is that the per license price is fixed, regardless of the token form factor. for instance, the hardware token is priced the same as the soft token. This addresses a key issue in the authentication market which is the complexity of pricing for various token types.
HOTPin licenses are available on a renewable basis for terms of 1, 2 and 3 years.
User licensing is for registered users. This is equivalent to the total number of entries in the user data base on the HOTPin server.
Yes, so long as the total number of registered users does not exceed the number of licensed users, registered users can be added or deleted at will. In addition, it is possible to switch between soft token and clientless token providers for a registered user without incurring additional cost.
How will user licensing be enforced? Is there something on the HOTPin server that will "stop authenticating" when the customer's term expires?
Yes there is a license key file that encodes the number of users and the expiration date.
Yes the End User Software License Agreement for HOTPin stipulates that users must make their systems available for audit upon request.
HOTPin can be downloaded via www.celestix.com
There are two primary options, a 100 user 30 day trial license and a 25 user license valid for 12 months.
Customers wishing to evaluate the product should select the first option.
Customers who wish to use the product for a longer duration or for a small user base are welcome to use the 25 user license. This license is free of charge for the first year only and use becomes chargeable at the anniversary date.
For assistance during the evaluation process please contact firstname.lastname@example.org
The same conditions apply to channel partners and prospective customers.
Yes, customers can add on to the number of users licensed for HOTPin at any time. The additional users will be pro-rated so that all licenses have the same renewal date.
Customers deploying v3.5 and who have a valid support contract will be entitles to receive all updates to v3.5 for the duration of its lifetime. Upgrades between major release of the product are not included and will require an upgrade fee.
How does high availability/failover work with the HOTPin
HOTPin supports active/passive high availability. All user data is continuously replicated to a second instance of HOTPin (if purchased). The databases on both servers will replicate continuously however the failover process will require administrative intervention.
Celestix does not recommend any specific SMS gateway providers. It is possible to integrate hardware SMS modems with HOTPin server, however most organizations will use a web gateway for issuing SMS. Both options are supported by HOTPin.
HOTPin has extensive user documentation. Client software includes contextual help.
HOTPin server includes online help, installation guide and a quick start guide.
Supporting documentation can be found on the support pages of www.celestix.com
Switching between client and clientless modes of operation can be achieved by the system administrator or alternatively it can be completed by the user through the self-service portal. There is no impact on licensing or cost if a user switches between soft token and clientless options. In the event that a user needs to switch to a hardware token, this would be a chargeable option.
None, other than the cost associated with having a service provider to send out SMS messages.