Oracle Adaptive Access Manager's Native OTP API offers a way to add another factor to a traditional user name/password authentication scheme.
This chapter contains the following information:
Native OTP Challenge integration enables strong authentication for access to applications.
Note:
For information about administrative tasks you can perform for OTP such as resetting OTP profiles, unlocking users, viewing OTP case details, and viewing OTP performance data, see the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
The flow of interaction is as follows: When the User ID and password are successfully verified, if the application deems it to be necessary, a one time password is sent to the user's mailbox or mobile phone. This one time password will be verified and only then will the user be authenticated to the application.
Note:
The application authenticates the OTP code given by the user through custom implementation.
One Time Password (OTP) is a random single use authentication credential. The OTP may be either numeric or alphanumeric and any length and the randomization algorithm is pluggable.
The following are major benefits of using out-of-band OTP:
The one time password is delivered to the valid user through one of the configured channels. These can include SMS, IM, email or voice.
The user does not require any proprietary hardware or client software of any kind.
OAAM OTP challenge functionality allows the end user to register profile information for use as a communication channel subsequently to challenge the user if appropriate. The user is sent an email or SMS with a generated one time use password and presented with a challenge page in which he can enter the generated code.
Oracle Adaptive Access Manager offers an OTP code generation API that can be used by native integration APIs.
A sample application, OAAM Sample, is available as a form of documentation to illustrate a native implementation of an Oracle Adaptive Access Manager integration.
It includes registration and email challenge related flows that provide integrators with an example of how to use the OTP APIs for generating OTP code, incrementing the OTP challenge counter, and clearing the OTP challenge counter.
OAAM Sample implements example flows using JSPs to both display pages generate code, and handle the user input of pages, backed by the BharosaHelper utility class to make calls into the OAAM APIs for tracking user details and challenge statistics.
Note:
Oracle Adaptive Access Manager ships with "oaam_native_lib. war" which must be deployed to run OAAM Sample.
OAAM OTP challenge allows the end user to register profile information such as an email address or a mobile phone number or both for use as communication channel to challenge them.
The user is sent an email or SMS with a generated one time use password and presented with a challenge page in which they can enter the generated code.
The registration and challenge flows are presented in Section 5.3, "New User Registration" and Section 5.4, "User OTP Challenge."
Registration is the enrollment process, the opening of a new account, or other event where information is obtained from the user.
During the Registration process, the user is asked to register for questions, image, phrase and OTP (email, phone, and so on) if the deployment supports OTP. Once successfully registered, OTP can be used as a secondary authentication to challenge the user.
The login process begins with entering standard user name and password credentials. During a session, if the user is OTP-challenged, a single-use password is delivered to the user through the configured delivery channel he selected. The user retrieves the one-time password, then enters it.
In a new registration flow which include OTP:
The user is presented with a page in which he is asked to submit his user name. The user name (login ID) is accepted from the first page and stored in the HTTP session. The user name page is followed by a transient page for capturing the flash and secure cookies and for fingerprinting the device.
For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:
The password page is displayed. The user fills in the password and clicks the Enter button on the device. Oracle Adaptive Access Manager verifies the user's password.
For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:
The user will continue through the registration process.
The user selects an anti-phishing image and phrase.
The user selects challenge questions and enters the answers to those questions.
The user enters his profile information in profile registration page.
The user's contact information, such as mobile phone number and email address, is registered.
The user continues on to the application.
An OTP challenge is when the user is asked to provide the OTP as a form of authentication for risk situations based upon configured policies.
The user must enter the correct OTP in to the Web interface to proceed with the operation.
In the challenge flow which includes OTP:
The user is presented with a page in which he is asked to submit his user name. The user name (login ID) is accepted from the first page and stored in the HTTP session. The user name page is followed by a transient page for capturing the flash and secure cookies and for fingerprinting the device.
For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:
The password page is displayed. The user fills in the password and clicks the Enter button on the device. Oracle Adaptive Access Manager verifies the user's password.
For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:
The custom policies returns "Challenge" as an action, and the Challenge checkpoint determines that OTP is the type of challenge to be used.
For information on the JSPs, BharosaHelper utility class, and OAAM APIs used in this flow, refer to the following sections:
The system generates the OTP code and through custom implementation the code is delivered to the user.
The generateOTP API is used to generate OTP code. For information on this API, refer to Section 4.5.9, "generateOTP."
The user is presented with the challenge page.
The OTP Challenge devices are determined by the Authentication Pad checkpoint. The default device is TextPad.
For information on the Authentication Pad checkpoint, refer to Section 2.2.1.12, "Run Authentication Rules (r7)."
The user continues into the application.