One Time Password Technology for iChain
Novell Cool Solutions: Feature
Digg This -
Posted: 20 Feb 2003
The NordicEdge OTP (One Time Password) Server is a service that generates a secure "Onetime Password" and sends the password to the user's mobile phone or mailbox when the user logs in to a web application.
The key benefit to this technology is that the NordicEdge OTPServer adds an extra security layer to protect applications. When the user's ID and password are successfully verified against directory services, the "Onetime Password" is sent to the user's mailbox or mobile phone through SMS (Short Message Services). The NordicEdge OTPServer verifies the "Onetime Password" and only then is the user authenticated and allowed to access to the application.
How it Works
When the user tries to access an iChain protected resource the user will be redirected to an authentication servlet provided by NordicEdge. The user authenticates with the standard username and password from Novell eDirectory (or any LDAP-compliant Directory service).
If the username and password are verified correctly by the NordicEdge authentication servlet, it reads the user attribute that contains either the mobile phone number or mail address from eDirectory. Any user attribute can be used.
A request is then sent to the NordicEdge OTPServer to create and send an Onetime Password through SMS to the user's mobile phone or through SMTP to the user's e-mail address. The NordicEdge OTPServer supports sending SMS in several ways, including HTTP, SMTP, SMPP and NetSize APIs.
The user receives the Onetime Password on his or her mobile phone, or mailbox.
If the Onetime Password was successfully sent, the NordicEdge OTPServer sends a notification back to the authentication server to go on to the next step.
The NordicEdge authentication servlet now prompts the user for the for the Onetime Password.
The user enters the Onetime Password and the authentication servlet sends the Onetime Password together with the username to the Novell iChain proxy machine.
The Novell iChain proxy machine makes a standard RADIUS authentication request to the NordicEdge OTPServer with the username and the Onetime Password. The NordicEdge OTPServer verifies the Onetime Password and the username. If verified correctly, the NordicEdge OTPServer sends back a RADIUS accept reply, and the user is authenticated. If the verification of the Onetime Password and the username fails, the NordicEdge OTPServer sends back a RADIUS reject reply, and the user will be redirected back to the first login page again.
- NordicEdge OTPServer. This is a pure Java application. It will run on any Java 1.3 compliant platform including Novell NetWare.
- Novell iChain 2.x
- Two parameters need to be set on the Novell iChain proxy machine:
- SET AUTHENTICATION ACLCHECK LDAP BINDANONYMOUS=NO
- ADD AUTHENTICATION ACLCHECK LDAP SERACHBASE = 0=yourSearchBase
- NordicEdge Authentication servlet, included with the NordicEdge OTPServer.
- The servlet requires a servlet engine like Jakarta Tomcat, Allaire JRun, New Atlanta ServletExec etc. The login pages are based on JSP and are customizable.
For more information please call +46 8 708653000 or e-mail to firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com