Salt SMS OTP
SafeSign Authentication Server
Strong authentication of users and transactions is critical in the provision
of any secure e-business solution.
Password protection, even though widely accepted and
used, is a weak method of authenticating users onto online
services. Passwords can be stolen, are subject to interception
and eavesdropping and even encrypted passwords are not
always safe from replay attacks. Users can be particularly
poor at remembering passwords and as a result, write them
down, use the same passwords for many applications and
don’t always change them as often as required. To reduce
the security risk created by the use of passwords, stronger
authentication methods have been developed to provide
businesses with higher levels of security.
Since the emergence of the Internet, building a successful
e-business service has become vital in managing
profitable business operations. Proving the identities of
the participants involved in a transaction, and ensuring
data cannot be read or modified by entities without proper
authorisation, is essential in safeguarding e-business
transactions.
SafeSign Authentication Server in conjunction with Salt SMS
OTP Mobile Tokens provides an advanced authentication
solution able to address the security concerns of static
password protection. SafeSign and Salt SMS OTP Mobile
Tokens enable all the security requirements needed across
the enterprise, from Internet applications, authentication of
remote users, to protection of transactions in e-Commerce
solutions.
SafeSign is an identity management, user authentication
and transaction security solution that enables secure
authentication of user identities and business transactions.
Utilising the latest web technology and international
standards for e-business and security, SafeSign removes
the need for proprietary systems and enables the highest
levels of security. Created to offer multi-channel advanced
authentication for secure applications, SafeSign can be used
by many applications in different parts of the organisation,
supporting a wide range of digital identities.
SafeSign is unique in providing support for multiple
authentication schemes; including Salt SMS OTPs, within
a single platform – adding multiple layers of security to
your existing authentication operations and transaction
processing with minimum integration effort.
Salt SMS OTP Features
SMS ‘Virtual Token’ Management:
• Enrol users’ mobile phone numbers from multiple sources,
such as databases or directory services
• Leverage your existing SafeSign security infrastructure
• Manage SMS ‘virtual tokens’ throughout their lifecycle allocate, suspend and revoke
Configurable SMS OTP policy:
• Define the IT Policy for SMS OTPs, such as validity period
of OTP (e.g. valid for 10 mins), length of OTP (e.g. 8 digits),
character set of OTP (e.g. numeric 0-9)
• Vary OTP expiry period, mapping multiple SMS OTP
Policies across the enterprise
• Include accompanying transactional text with SMS OTP
• Personalise SMS according to your business requirements
High Security:
• Event based OTPs only valid for a pre-defined period of
time
• Ensure personnel have been strongly authenticated to
gain access to the system and to perform critical security
functions
• Use a certified tamper resistant hardware security module
enabling secure management of all your key processes
and digital credentials
• Seamless integration of all the SafeSign components
ensuring maximum security of keys and data
© Copyright Salt Group Pty Ltd | www.saltgroup.com.au | info@saltgroup.com.au | +61 3 9866 4400
Salt SMS OTP
SafeSign Authentication Server
Salt SMS OTP Features (Continued.)
Scalable and Flexible
Key Management:
• SMS OTPs are cryptographically generated based on 2 x
56-bit keys using Triple DES
• HSM generated key material used to calculate SMS OTPs
• Secure management and storage of cryptographic keys
• SMS ‘virtual token’ management is consistent with other
supported authentication tokens supporting seamless
migration to a choice of security tokens
• Highest level of security ensuring SMS ‘virtual tokens’
keys are transferred according to the best practice key
management
SafeSign accommodates changing business requirements
by enabling rapid expansion of the security platform to
increase service performance.
Audit Trails:
• Monitor and track SMS OTP history to ensure the OTP
generation and delivery has occurred, who made that
OTP request and whether the OTP has been subsequently
validated
• Maintain a HSM protected, tamper evident audit report
identifying each stage of the transaction process and the
users involved in each task
• Receipting of SMS delivery notifications from the SMS
Gateway (dependent on Gateway capabilities)
SafeSign Features
Advanced Authentication with SafeSign
• Authenticate users according to your specified security
policy
• Support multiple authentication methods across your
entire business
• Consolidate all authentication requirements for your
applications on a single platform, maximising ROI and
providing fit for purpose authentication for various
application needs
www.saltgroup.com.au | info@saltgroup.com.au | +61 3 9866 4400
Cost Savings
By keeping all authentication, issuance and management
centralised, infrastructure costs will inevitably be reduced
compared with operating multiple security solutions.
Improved ROI
Implementing a single security platform across multiple
applications and for different parts of the enterprise
reduces the overall development and support costs
increasing the Return on Investment.
Improvements in Workflow Efficiency
SafeSign’s user friendly interfaces improve productivity by
enabling users to spend more time at their specified tasks
as opposed to operating security systems on a complex
security infrastructure.
Risk Management
Dramatically reduce the risk of unauthorised access
and fraud attempts by ensuring you are aware of who is
accessing your system.
Expandable
The SafeSign architecture provides the assurance that
systems can be expanded to accommodate additional
authentication methods, without the need to integrate and
invest in other authentication or management systems. This
provides the flexibility to embrace new technologies as they
emerge.
Salt SMS OTP
SafeSign Authentication Server
SMS ‘Virtual Token’ Activation
Allocate
Activate
Link
Virtual
Token
allocateToken()
startProvisionToken()
getActivationCode()
verifyConfirmationCode()
Allocate a ‘virtual token’
from the database,
including cryptographic
key material, timeout
counters, policies.
Associate the assigned
‘virtual token’ serial
number to the user’s
mobile phone number.
Calculate and send
Confirmation Code
via SMS to the linked
mobile phone number.
Verify Confirmation
Code and activate the
‘virtual token’.
LifeCycle Management of SMS ‘Virtual Tokens’
Virtual
Token
Suspend
Revoke
generateChallenge()
suspendToken()
revokeToken()
Calculate and send One
Time Password (OTP)
via SMS to the linked
mobile number.
Temporarily disable the
SMS ‘virtual token’.
Permanently disable
the SMS ‘virtual token’.
verifyResponse()
unsuspendToken()
Re-enable the SMS
‘virtual token’.
Verify the response
OTP within timeout
counters.
Supported Interfaces
Supported Databases
• Java through RMI, JNDI or Java Bean interface
• Web Services through XML or SOAP with support for Web
Services Security (WS-S)
• Microsoft .NET interface
• Other protocols like XML D-Sig or SAML for authentication
The SMS ‘Virtual Token’ attributes are stored in a database.
These details include: timeout counters, OTP policy, token
state, and, audit logs.
www.saltgroup.com.au | info@saltgroup.com.au | +61 3 9866 4400
The following databases are supported:
• Microsoft SQL Server 2000-2005
• Oracle 10
• Apache Derby (JavaDB) 10.2+
Salt SMS OTP
SafeSign Authentication Server
Registration Process
Relying System
Enrol
User
SafeSign Authentication
Server
Capture
Mobile
Number
Evidence
of
Identity
allocateToken()
SMS ‘Virtual Token’
Serial Number
Mobile Number
Confirmation Code
Confirmation Code
sent via SMS to the
linked Mobile Number
www.saltgroup.com.au | info@saltgroup.com.au | +61 3 9866 4400
Allocate
Link
Activate
Virtual
Token