5 Native API for OTP Challenge

Oracle Adaptive Access Manager's Native OTP API offers a way to add another factor to a traditional user name/password authentication scheme.

This chapter contains the following information:

5.1 OTP Integration Overview

Native OTP Challenge integration enables strong authentication for access to applications.

Note:

For information about administrative tasks you can perform for OTP such as resetting OTP profiles, unlocking users, viewing OTP case details, and viewing OTP performance data, see the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.

The flow of interaction is as follows: When the User ID and password are successfully verified, if the application deems it to be necessary, a one time password is sent to the user's mailbox or mobile phone. This one time password will be verified and only then will the user be authenticated to the application.

Note:

The application authenticates the OTP code given by the user through custom implementation.

5.1.1 One Time Password (OTP)

One Time Password (OTP) is a random single use authentication credential. The OTP may be either numeric or alphanumeric and any length and the randomization algorithm is pluggable.

The following are major benefits of using out-of-band OTP:

  • The one time password is delivered to the valid user through one of the configured channels. These can include SMS, IM, email or voice.

  • The user does not require any proprietary hardware or client software of any kind.

5.1.2 OAAM OTP Challenge Functionality

OAAM OTP challenge functionality allows the end user to register profile information for use as a communication channel subsequently to challenge the user if appropriate. The user is sent an email or SMS with a generated one time use password and presented with a challenge page in which he can enter the generated code.

Oracle Adaptive Access Manager offers an OTP code generation API that can be used by native integration APIs.

5.1.3 Sample

A sample application, OAAM Sample, is available as a form of documentation to illustrate a native implementation of an Oracle Adaptive Access Manager integration.

It includes registration and email challenge related flows that provide integrators with an example of how to use the OTP APIs for generating OTP code, incrementing the OTP challenge counter, and clearing the OTP challenge counter.

OAAM Sample implements example flows using JSPs to both display pages generate code, and handle the user input of pages, backed by the BharosaHelper utility class to make calls into the OAAM APIs for tracking user details and challenge statistics.

Note:

Oracle Adaptive Access Manager ships with "oaam_native_lib. war" which must be deployed to run OAAM Sample.

5.2 OTP Registration and Challenge Experience

OAAM OTP challenge allows the end user to register profile information such as an email address or a mobile phone number or both for use as communication channel to challenge them.

The user is sent an email or SMS with a generated one time use password and presented with a challenge page in which they can enter the generated code.

The registration and challenge flows are presented in Section 5.3, "New User Registration" and Section 5.4, "User OTP Challenge."

5.3 New User Registration

Registration is the enrollment process, the opening of a new account, or other event where information is obtained from the user.

During the Registration process, the user is asked to register for questions, image, phrase and OTP (email, phone, and so on) if the deployment supports OTP. Once successfully registered, OTP can be used as a secondary authentication to challenge the user.

The login process begins with entering standard user name and password credentials. During a session, if the user is OTP-challenged, a single-use password is delivered to the user through the configured delivery channel he selected. The user retrieves the one-time password, then enters it.

In a new registration flow which include OTP:

5.3.1 User Name Entered on Login Page

The user is presented with a page in which he is asked to submit his user name. The user name (login ID) is accepted from the first page and stored in the HTTP session. The user name page is followed by a transient page for capturing the flash and secure cookies and for fingerprinting the device.

For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:

5.3.2 Password Page is Presented and User Enters Password

The password page is displayed. The user fills in the password and clicks the Enter button on the device. Oracle Adaptive Access Manager verifies the user's password.

For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:

5.3.3 User Enters Registration Flow

The user will continue through the registration process.

5.3.3.1 User selects an authentication pad background image

The user selects an anti-phishing image and phrase.

5.3.3.2 User registers challenge questions

The user selects challenge questions and enters the answers to those questions.

5.3.3.3 User Opts In to OTP

He agrees to register his profile for OTP challenge

5.3.3.4 User registers profile information

The user enters his profile information in profile registration page.

The user's contact information, such as mobile phone number and email address, is registered.

5.3.3.5 User Agrees to Terms and Conditions

User agrees to the terms and conditions presented on the registration page.

5.3.4 User Continues into Application

The user continues on to the application.

5.4 User OTP Challenge

An OTP challenge is when the user is asked to provide the OTP as a form of authentication for risk situations based upon configured policies.

The user must enter the correct OTP in to the Web interface to proceed with the operation.

In the challenge flow which includes OTP:

5.4.1 User Name Entered on Login Page

The user is presented with a page in which he is asked to submit his user name. The user name (login ID) is accepted from the first page and stored in the HTTP session. The user name page is followed by a transient page for capturing the flash and secure cookies and for fingerprinting the device.

For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:

5.4.2 Password Page is Presented and User Enters Password

The password page is displayed. The user fills in the password and clicks the Enter button on the device. Oracle Adaptive Access Manager verifies the user's password.

For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:

5.4.3 OAAM Rules Determine User Should Be Challenged via OTP

The custom policies returns "Challenge" as an action, and the Challenge checkpoint determines that OTP is the type of challenge to be used.

For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:

5.4.3.1 Generate OTP Code and Code is Delivered to the User through Custom Implementation

The system generates the OTP code and through custom implementation the code is delivered to the user.

The generateOTP API is used to generate OTP code. For information on this API, refer to Section 4.5.9, "generateOTP."

5.4.3.2 User Presented with Challenge Page

The user is presented with the challenge page.

The OTP Challenge devices are determined by the Authentication Pad checkpoint. The default device is TextPad.

For information on the Authentication Pad checkpoint, refer to Section 2.2.1.12, "Run Authentication Rules (r7)."

5.4.3.3 User Enters the Generated Code Sent to Him by the Application and is Validated by Custom Implementation

The user enters the generated code sent to him by the application and is validated by custom implementation.

5.4.4 User Continues Into the Application

The user continues into the application.