Open source has encompassed all areas of software applications and services, so there was little doubt that authentication would, sooner or later, be part of this fast growing movement. OpenLDAP, the open source directory project, has been with us for quite some time. But there's a new movement to create an authentication protocol, to standardize how authentication data is exchanged.
The Initiative for Open Authentication (OATH) was formed to standardize the response to what OATH members claim are the three major challenges to our networks:
- Theft of or unauthorized access to confidential data.
- The inability to share data over a network without an increased security risk.
- The lack of a viable single sign-on framework.
OATH hopes to address these challenges with standard, open technology that is available to all. The organization is taking an all-encompassing approach, delivering systems and services that allow for strong authentication of all users on all devices, across all networks.
OATH's membership includes many familiar names in the identity and access management space: ActivCard, Aladdin Knowledge Systems, ARM, Assa Abloy ITG, Authenex, Aventail, Axalto, BEA Systems, BMC Software, Check Point and VeriSign (which created the group), among others. More information about OATH can be found at its Web site (www.openauthentication.org).
Two companies prominent in both open source and identity management, Sun and Novell are surprisingly and conspicuously absent from the membership. Microsoft's absence is less surprising.
The key features and benefits of the proposed reference architecture for open authentication include:
- Lower costs for authentication devices (chips, tokens, smart cards).
- Simplified validation as a network utility instead of a complex and confusing enterprise responsibility.
- Best-of-breed solutions through interoperable components.
- Development of devices that embed multiple authentication methods such as One-Time Password, SIM authentication and PKI-based authentication.
- Cell phones, PDAs, and laptops become strong authentication devices.
- Application developers gain the ability to build connectors for strong authentication using open specifications.
- Provides open specifications for strong device and user uthentication, enabling easy native support in enterprise applications and identity management platforms.
- Allows the sharing of device credentials, strong authentication algorithms, and authentication client software across many network end-points (desktop computers, servers, switches, Wi-Fi access points, set top boxes, etc.).
There's a good white paper - "An Industry Roadmap for Open Strong Authentication" - available at (http://www.openauthentication.org/resources.asp) (registration required). Download it and see how your efforts in the authentication area mesh with those of this organization. If you like what you see, get involved.