Software Consultancy: strong authentication systems, WITO and IambOOTP

Among all kinds of software consultancies offered by IambOO, we can find strong authentication systems (or two factors authentication), meaning authentication methods based on the combined individual authentication procedures. IambOO offers two specific (and proprietary) strong authentication products: WITO and IambOOTP.

A growing number of companies is forced to work with digital systems in which it’s necessary to authenticate the user so that he/she can use them to its full potential. The most common two-factors authentication forms use “something you know” (a password) as first factor, while the second factor can either be “something you own” (a physical object) or “something personal” (such as a fingerprint – a biometric characteristic). A common example of two-factors authentication is your debit card: the card is the physical object that represents “something you own” and the Pin code represents “something you know”.

Let’s talk a bit about IambOO’s strong authentication products.

WITO

WITOis a strong authentication system that “exploits” the caller’s phone number, it’s compatible with each and every smartphone and it’s free for the final user. WITO has a great advantage compared to (more common) systems since it’s not prone to mobile personification (spoofing), an informatic attack that is used to fake some information, such as (for example) a host identity inside a network or a message’s sender.

How does WITO work?

Just as (almost) every existing authentication system, the user needs to put in the form his/her username and password. Then, the user has to make a call with his/her smartphone to a toll-free number that recognizes the caller ID and it proceeds with the authorization. This kind of authorization is not safe, since it’s quite easy to simulate the caller phone number, through the informatic attack called spoofing.

Wito allows the user to log in with a username and a password and the system immediately “makes” a call to the number given while signing up. It’s not mandatory to answer the call, but you have to write down the last 3 numbers in order to be immediately log in. Wito doesn’t need other apps in order to work, the only device needed is a smartphone.

WITO PROS

Wito is based on a software-as-a-service model (SAAS) so that the company doesn’t need to buy other software, but it can use the service through a subscription, thus lowering significantly the costs.

This is the reason why WITO is so cost-effective compared to other competitors.

The final user has no costs nor service’s connection costs. We are talking about a real-time call, and the user is immediately logged in (and he/she doesn’t have to bear any cost), while sms-based systems don’t provide the same service.

WITO can be compatible with all the different existing smartphones.

IambOOTP

IambOO’s strong authentication system uses OTP token public algorithm. Just as every OTP-based authentication system, it allows the user to control the logical accesses by using a double-factor: a known information (a personal identification code) and one information which is not known (and always different), a password which is automatically generated. A normal smartphone is the only thing you’d need in order to use IambOOTP (not even a software).

How does IambOOTP work?

IambOO is OATH Adopting Member (Initiative for Open Authentication); OATH is the initiative that wants to promote authentication’s open universal standards. The main industrial and IT leaders are involved in this mission in order to give a standard reference organization to strong authentication of every user, in every network, through every device.

With this in mind, IambOOTP is included in a validation server (authentication form, licensing form and administrative backend), it includes the automatic authentication option through QR-Code, the integration through SDK (Java, PHP and C#) and a mobile APP Iphone and Android’s compatible. An integration with Radius server is also possible, and so are the back-up codes preservation in case of device’s loss (optional) and OTP generation based on time (optional).

A lot of OTP technologies are patented, thus making this sector’s standardization harder, because every company believes that its technology is the best. There are some standards we decided to follow anyway while programming, thus making the compatibility with the main digital systems the easiest possible: IambOO’s algorithm is based on RFC 4226 – HOTP.

IambOOTP PROS

This solution, thanks to open standards’ being used for the programming process, allows the possibility of lowering the costs significantly, because while the other hardware tokens do need storage management, software don’t.

IambOOTP is highly configurable and it integrates itself nicely with pre-existing instruments, offering highly optimized services’ performances with 2000/per sec (and more) authentications throughput.

Practically speaking, there’s no need to “get to know” another device, since IambOOTP needs the use of a smartphone and it’s always available (no need of a physical token) and the mobile app doesn’t need a wifi nor a phone Internet connection. A backend interface allows a technical worker to easily manage tokens while activating/deactivating them, and creating and verifying a token status. It’s possible to manage admin users by giving them different authorization levels.

Nowadays, strong authentication systems have a critical role in PA and companies’ digital lives, that need to verify the identity of those logging in in specific apps or to take care of critical data. A strong authentication solution is necessary in order to verify the identity of those logging in some kind of apps and doing some procedures. Keeping that in mind, IambOO’s solutions are developed to be highly user-adjustable.