Previous Topic: Support for Roaming Download of ArcotID PKINext Topic: Support for Roaming Download of ArcotID OTP

Advanced Authentication ServiceStrong Authentication MechanismsArcotID OTP

ArcotID OTP

ArcotID OTP is a secure software authentication mechanism that allows the use of mobile phones, iPads, and other PDAs as convenient authentication devices. The ArcotID OTP credential is used for primary authentication, and it supports the Open Authentication (OATH) standard. Similar to the ArcotID PKI credential, ArcotID OTP also uses CA Arcot’s patented Cryptographic Camouflage technology to protect credentials from brute force attacks.

Authentication using ArcotID OTP involves the use of a passcode generator. For every session that an end user initiates, a unique OTP is generated, which is only valid for that session or for a very short period. Consequently, OTP authentication lowers the chances of relay attacks. The ArcotID OTP mechanism can be used for authentication on computers and mobile devices.

The passcode generator is the ArcotID OTP application, which must be installed on the end user’s mobile device. At the time of enrollment, the end user is prompted to set a PIN and is also sent instructions to configure their device for ArcotID OTP generation. Once the device is configured, the ArcotID OTP credential is provisioned to the device. At runtime, the end user opens the ArcotID OTP application, authenticates to it using their PIN, generates an OTP, and uses that OTP to authenticate to a protected resource.

JavaScript ArcotID OTP

For users who do not want to manage the ArcotID OTP application on their device to generate OTPs, the Advanced Authentication service provides a JavaScript Client that invisibly runs in the end user’s Web browser and generates an OTP each time it is invoked.

The JavaScript Client eliminates the need for users to read the OTP from a device and then type it into the login page. Typically, the JavaScript Client is invoked when an end user who has registered for ArcotID OTP authentication tries to access a protected resource, but does not have the phone that has the ArcotID OTP application. If the end user states that their phone is not available, secondary authentication is performed and the JavaScript Client is invoked in the background to generate an OTP. This OTP is sent to the Advanced Authentication service for verification.