Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Car Donations
Online Education
Compare Prices
Domain registration
Imprinted Gifts
PDA Phones & Cases
Condos For Sale
Promote Your Website
Cell Phones
Desktop Computers
Computer Deals
Data Center Solutions

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Eliminate Passwords With OATH

Heroes Happen Here Launch Events
Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »

Install What You Need with Windows Server 2008
Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »

Simplify Big Business IT for Small and Midsize Companies
Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »

Q&A with Bob Muglia: Senior VP, Server and Tools Division
Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »

Q&A with Lutz Ziob, GM of Microsoft Learning
Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

Related Articles
Protect Your Passwords -- Part 2
Protect Your Passwords -- Part 1
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
PacketLogic - Packet Inspection Platform Provides Traffic Shaping and Filtering Features
VMware Infrastructure - Core Components for Data Center Virtualization
Small Business Publisher - Print Flyers, Letterheads, Envelopes and More
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Get the latest news, technology and business trends for VARs, resellers, managed service providers, system integrators and other channel partners. Visit IT Channel Planet.

Eliminate Passwords With OATH
January 11, 2005
By Brian Livingston

Brian Livingston Someday soon, you'll be able to forget your passwords and still access all the secure servers you use now. In fact, no one will have to remember any passwords at all.

That's the future that's quietly being developed by an important but little-known organization called OATH, the Initiative for Open Authentication.

This group — which includes such powerful high-tech players as IBM, Verisign, and the Smart Card Alliance — promises to change forever the way we use computers and networks.

Managing Passwords vs. Eliminating Passwords

In my last two columns, on Dec. 14 and 21, 2004, I described some competing approaches that offer ways to cope with the problems passwords pose:

Storing A Fistful Of Passwords. Pass2Go is a new breed of software that you install onto a USB Flash drive. The program uses a "master password" to protect all of the username/password combinations that you tell it. Then, when you're using a strange computer at an Internet café or library to access a secure server, you insert your USB device into the computer's USB port and type your "master password" to access the hidden password strings. This method is flawed, however, because you can't guarantee the public PC isn't infected with some Trojan horse that could capture your passwords.

Carrying An Authentication Device. For better security, Verisign and other companies are beginning to sell USB "keys" that don't store static passwords. Instead, the devices display a different one-time password (OTP) every time you need to log in to a distant computer. For even stronger protection, the remote server can pose to the USB device a mathematical puzzle. This process, known as challenge/response authentication, can only be satisfactorily completed by one particular USB key.

Unifying The Pieces. USB ports are very common on PCs these days, and USB Flash drives are small enough to place on a key ring or even within a wristwatch, so it wouldn't be hard to carry such a thing around with you. But what if you need to access several remote servers at different times? Many people need to log on to more than one bank account, corporate host, or brokerage firm. Will you need to lug a half-dozen USB devices with you everywhere?

To answer questions such as these, OATH issued a charter in Denver, Colo., on Oct. 26 that represents a technical commitment by its 30-some members. You may or may not like the solutions they're coming up with to render passwords obsolete, but you'll have to admit that the group's goals are breathtaking.

The Total Elimination Of Passwords

"I would like the elimination of static passwords," says Bob Blakley, the chairman of OATH's joint steering committee. "The burden of authentication is going to move off the client computer and move onto a device that is much smaller and more intimately involved with a human being. It might be a USB token, it might be a cell phone, it might be a wristwatch."

In his real job, Blakley is chief security and privacy scientist for IBM, one of OATH's founding members. He's come to believe that networks, including the Internet, can't be used securely until the establishment of two-factor authentication — the possession of some physical object that proves one's identity, along with a password or PIN.

"One [factor] is a physical thing that you'll notice if it goes missing," such as your keychain or cell phone. "And it can't do the same thing every time." That's because static passwords are too easily guessed at or eavesdropped on. By contrast, there are many pocket-sized electronic gizmos today that are smart enough to give a different, valid answer to a remote server every time.

Many Ways To Solve A Single Problem

Devices with enough memory to handle one-time passwords and challenge/response authentication methods include "smart cards" with digital circuitry and PDAs (personal digital assistants) such as Palms and Pocket PCs.

Most consumers don't carry any of those devices, however. So the focus of two-factor authentication has necessarily moved to devices that can be given out cheaply — such as $10 USB Flash drives — or tools already owned by a broad range of consumers, such as smart phones.

Stu Vaeth, chief security officer of Toronto-based development firm Diversinet, is deeply involved in creating software small enough to fit on USB keys and higher-end cell phones. As a member of an OATH technical committee, he played a role in the group's first major accomplishment: the publishing in October of a formal standard for the calculation of one-time passwords.

"The heart of it," Vaeth says, "is agreeing on an algorithm that the client and server can use."

The current version of software that Diversinet has developed to implement OATH's proposed OTP standard requires only 64 to 128 KB of disk space to install and no more than 45 KB to run, according to Vaeth. That's more storage than you find on a basic cell phone today, but it's an amount that's easily available on almost any programmable smart phone, PDA, or USB drive.

One-time passwords would be useless to any hackers who successfully eavesdropped on a computer session. As a result, OTP will probably be the first part of OATH's vision to be widely adopted to strengthen authentication. But Vaeth expects that other approaches OATH is considering will also be formally proposed to Internet standards bodies soon. Those approaches include challenge/response authentication, in which a remote server establishes a communications session to verify the physical device a user is carrying, and PKI (public key infrastructure), involving the deployment of hard-to-fake digital signatures.

Each of these schemes, OATH members believe, can be implemented in such a way that any compliant device could be used to authenticate any user. That means you wouldn't have to carry around a half-dozen googaws — just one would be enough to prove to a server that you are who you say you are.


OATH's proposals, if fully adopted, would mean big changes for end users who can now simply type in their e-mail address and their dog's name to access everything from their local bank to their corporate headquarters.

Big changes may be just the thing we need, though. Virulent hacker attacks are spreading wildly and rampant identity fraud is exploding geometrically, disrupting consumers and enterprises alike. So installing a tiny authentication program onto USB keys, cell phones, or whatever a company's employees happen to have is a small inconvenience that should be welcomed with open arms by users who never liked memorizing passwords in the first place.

For information on OATH's big plans, visit

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives

Access FREE HP Server Solutions Tools:
Access FREE HP Server Solutions Tools:
Continuous Real-time Data Protection and Disaster Recovery

Virtualization--It's Not Just for Enterprises Anymore

Rightsizing Blades for the Mid-market

VMware Infrastructure 3--Planning



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live