OTP Radius System

One-Time Passwords (OTP) are often preferred to stronger forms of authentication like Public-Key Infrastructure (PKI) or biometrics because an air-gap device does not require the installation of any client desktop software. 

OTP Radius System

Services Automation is very essential for many vendors who are serving huge number of people. One important issue is securing access of the software services. The normal and ordinary way; is enforcing strong passwords for these services.

Features

Web Management Interface

This feature allows the system administrators or the security officers to add, update and revoke users using this OTP system web management interface. While the operator can monitor and perform such a routine operation through this interface.

User Management

Using this feature, the system administrator can add, delete or suspend users from using the service. The following are complete actions that can be done using web management feature:

  • Add user: to add user to the system database or user directory.
  • Edit user: change specific user settings or current status.
  • Remove user: to delete user for database or user directory.
  • Send OTP via SMS: send OTP in mobile SMS to user via proper configuration with SMS server 
  • Synchronize with AD: if administrator enables this option, any updates applied to system users will be the same on Active Directory.
  • Print Scratch Passwords: to generate OTP sequence for certain user to be used later for authentication.
  • Assign token to User: assign token to that user either hardware or software token.
  • Print QR-code:  the ability to generate OTP in QR-code form for better provisioning. 

Server configuration

Using this feature, enables system administrator to change the configuration of the OTP server such as IP address and add system admins. Also, change password of each user.

Tokens management

Tokens management allows the admin to add OTP tokens and change the token status. The actions available using this feature are:

  • Add token: to add new token to the tokens list. This added token can be either automatic seed or manually entered seed. While adding new token, admin will select the algorithm of token from the supported algorithms and select the password length.
  • Rename Token:  change the token name to make it easier to manage.
  • Import from File: in case of hardware tokens, the initial seed is exchanged using PKI infrastructure to preserve the security of system.  The seed is sent to the server encrypted and a public key is used to decrypt it.
  • Remove Token: to delete a token from the token list. This is useful in case of token loss or damage.  

User directory management and configuration

This feature is used to add new user directory or adding new database. When using this OTP system with enterprises serving large number of customers, then it is required to connect to user directory or database. This feature makes the system integer-able with any database system like: oracle- SQL- MySQL-SQLServer….etc. or any user directory like: LDAP or AD.

Web Application Server Management

The system admin can use this feature to manage application servers that contact OTP server to authenticate users. The admin will configure the communication to that application to the OTP server. This feature enforces more security on the authentication process as the OTP server will response only to trusted application servers. The communication with this application server is encrypted with shared secret to secure the authentication request and response to eliminate masquerade attack. 

Radius Protocol

The Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol. Radius protocol controls the communication between the web application server and the OTP server through multi-purpose protocols like: PAP, CHAP and MSCHAP.

   PAP

Point-To-Point protocol was one of the first protocols used to facilitate the supply of a username and password, the password is plain while transmitting between the user and the web server, however it will be encrypted when the web server forwards the request to the OTP server.

CHAP

Challenge-Handshake Authentication Protocol designed as an improvement to the PAP. It disallows transmitting a clear-text password as in PAP using a three-way handshake.

MS-CHAP

Microsoft Challenge-Handshake Authentication Protocol with little differences, it supports some of Microsoft implementations.

Software Tokens

Softlock OTP RADIUS System provides different end users with various software tokens with different supported algorithms.

Softlock will provide its customized software token to be used in Android OS devices and Apple iPhones.

Biometric OTP Card

Softlock OTP Radius System can be used with Bio OTP cards for client OTP generation. Bio OTP card will add new security level to the overall system.

OTP = Stronger Security, which still can be misused

OTP + Biometric Scanner = True Individual and Safe Security

The QuardCard comes with a QuardReader that is used for recharging and communication purposes. When fully charged the Quard card will work around 1500 times before recharging is needed. The Quard-Card is also able to store several digital certificates encrypted inside the internal memory. The biometric subsystem protects these certificates from unauthorized use and allows only the rightful owner to re-lease them through the QuardReader.

Compatibility

OTP server is standalone server based on Linux operating system. The server uses standard RADIUS protocol to provide the authentication service. Any client implements the selected protocol can communicate with the server. Almost all programming languages provides libraries to communicate with radius server. Also, all operating systems support different RADIUS protocols.

Benefits

Security

If you look from any view to the Softlock OTP RADIUS System, you will find that it is fully secured, either from client side or the server side.

Softlock OTP RADIUS System allows the user information to be stored on one host, minimizing the risk of security loopholes.

Two reasons cause this ultimate security. The first is the use of the OTP authentication technology. And the second is the strong secure communication between the system entities, which achieved by the Radius protocol. Hence two major security technologies are integrated together to produce the Softlock OTP RADIUS System.

Man in the middle attack is eliminated for two reasons:

  • Password is one time only, so it is useless for next authentication action.
  • Password is transferred from application server to OTP server using secure protocols (i.e. MS-CHAP and MS-CHAP v2)

OTP solution can be delivered in the form of two factor authentication for software token:

  • User PIN for token to generate OTP.
  • OTP itself to access the service.

Also for the Bio OTP card the system will be 2 factor authentication:

  • User fingerprint to identify the owner to the card to generate OTP.

(Biometric only works with the rightful owner)

  • The OTP that is truly unique personnel password by the use of fingerprint.

Thus, by all means if the token (Software token on mobile or Biometric Card) is lost no one can use it except its rightful owner.

Ease of use

One click/touch; one response. The user has no need to identify himself through multiple steps, just submit his username and OTP and make one click/touch, where the web application passes the submitted credentials and identities, return back with respond of Accept or Reject.

The OTP solution requires no driver to be installed at the user side.

Flexibility

The web application server is not indeed the targeted NAS, because NAS is always can be any electronic device that have an interface with a computer. So, any device can use the OTP RADIUS server in users’ authentication.

Also, integration with different databases or LDAP directories is provided by the Softlock OTP RADIUS System.

High Performance

The OTP server responses quickly to authentication requests received from applications servers.

High availability

Being based on Linux server, Ubuntu server, then the OTP server is more reliable for long term operation.

The Biometric OTP card is battery – charged with very limited need to be recharged.

Easy Maintenance and Troubleshooting

Using the available integrated QA tests to troubleshoot and maintain the OTP server components.

Also, with existing testing applications to test the OTP server. Also, the ability to resynchronize token during authentication.

Cost Savings

Cost savings due to less password administration. Lower costs due to a decrease in electronic crimes

Certification

OTP RADIUS server is OATH certified for both TOTP and HOTP tokens. Also, PSKC encrypted files are supported.

Complies with EU Privacy regulations since fingerprints are only stored on Biometric Card and never leaves it.

Patent

Biometric OTP Card by Quardlock is global patent that all patent rights are reserved and applies.

OTP Radius System

Services Automation is very essential for many vendors who are serving huge number of people. One important issue is securing access of the software services. The normal and ordinary way; is enforcing strong passwords for these services.