OpenID Strong Authentication with Challenge/Response
Overview
Pintegrity offers strong authentication for OpenID Internet Identity verification using Challenge/Response to generate one-time passwords. OpenID users may select one or more form factors for software tokens, including desktop and mobile phone. For instance, users may install one token on their work desktop, one on their home desktop and one on their mobile phone all linked to the same OpenID providing seamless coverage for strong authentication.
Strong Authentication is provided with multiple factor verification through a Challenge/Response dialog. The OpenID user must have possession of the software token registered with their OpenID and knowledge of the secret code that unlocks the token. OpenID verification is completed in three steps, 1. select the token, 2. get a random challenge number, and 3. get the unique response number. Challenge/Response value pairs are unique to the sofware token which is personalized with a unique cryptographic key when registered with the Pintegrity Authentication Server.
The Challenge/Response dialog also provides one-time password security which make replay attacks unrealistic. Each time the OpenID is verified, a new Challenge/Response value pair is created and can only be used once. The Challenge/Response value pairs are cryptographically random and thus cannot be predicted. The Challenge/Response value pairs are created using DES private key encryption.
Pintegrity token applications use RSA public key encryption to securely enroll the shared key value with the Pintegrity Authentication Server
The Pintegrity Authentication Server limits each registered token to be used for OpenID authentication just once every minute to protect against brute force attacks.
Platforms
Pintegrity offers software tokens for a wide variety of platforms to accomodate OpenID users various computing environments, everything from Mac, Iphone and Itouch on the Apple platform to desktops and mobile phones operating on the Windows platform. These can all be used interchangeably at any time. Read more about Pintegrity tokens.
OpenID users can be completely mobile by installing a software token on their internet capable mobile phone. When OpenID verification is required to access a website secured with OpenID using the mobile browser, the token application on the phone will generate a Challenge/Response value pair used to authenticate the OpenID user. There is no need for the cost and inconvenience of a separate token device.
Authentication Modes
There are two modes of Authentication available on all Pintegrity tokens, Online and Offline. As long as internet connectivity is available, the token application can be switched between Online and Offline mode as often as desired. If no internet connectivity is available, then the token will only be capable of Offline authentication
Offline authentication is also known as Remote Challenge and requires the OpenID verification dialog to present a random Challenge number to the user which is entered into the token application. The token will display a Response number which is entered into the OpenID verification screen. This is "traditional" Challenge/Response offered on all stand alone tokens, and requires the manual entry of two numbers. If you count the secret unlock code, there are three numbers that must be entered. View a sample Online OpenID authentication dialog.
Online authentication is also known as Self Challenge and is much simpler for OpenID authentication. When the OpenID verification dialog first appears, the Pintegrity token is used to generate a random Challenge/Response value pair and deliver it securely via web services to the Pintegrity Authentication server where it will be available for the next OpenID authentication for a short period of time. Next, the user merely clicks once on the OpenID verification dialog screen and they are authenticated. This Online authentication feature is unique to Pintegrity tokens as stand alone tokens have no internet connectivity. View a sample Offline OpenID authentication dialog.
Audit Trail
Event Logging
The Pintegrity Authentication Server maintains a log of all activity for Pintegrity tokens that are registered with the appropriate service level. OpenID users may login to the server to view log fles at any time.
GIS Tracking
The Pintegrity Authentication Server logs latitude and longitude information from the Pintegrity token if the mobile device has GIS capability. This can be very useful in retrieving lost or stolen tokens.
Cost of Ownership
Pintegrity offers OpenID strong authentication as Software as a Service (Saas) and relies on a subscription business model with several tiers of service.
Tier 1 - Free
- 1 token only
- No event logging
- No GIS tracking
Tier 2 - $10/year
- 1 to 3 tokens
- 30 days of event logging
- No GIS tracking
Tier 3 - $20/year
- 1 to 5 tokens
- 90 days of event logging
- GIS tracking (if available)
Pintegrity Authentication Server
The Pintegrity Authentication Server provides a home page for each user to view their log files and deactivate a lost or stolen token.
Summary
Why is Pintegrity the best choice for OpenID authentication?
- Strong authentication with one-time password and two factor authentication
- Mobile browsing and strong authentication on the same device
- Online mode for one-click authentication
- Low cost of ownership
- Tokens available from other vendors are not multi-factor. They rely on the date/time for the challenge value and do not have a key pad. Therefore it is not possible to require the user to enter a secret unlock code and so they are limited to one authentication factor (possession only).