
VeriSign's keyring-sized tokens, which generates one-time passwords (OTPs).
Ed Elliff, director of Identity and Authentication Services at VeriSign Australia, told iTnews that VeriSign was chosen by DocLocker for its strong authentication access methods.
VeriSign’s VIP Services network allows users to identify themselves using one-time passwords (OTP) generated on tokens and credit card form factors, or sent to a mobile phone via SMS.
Using these OTPs, users can securely identify themselves across a number of webpages – from eBay and Paypal to the NSW Teacher’s Credit Union.
“It’s like the global banking networks,” said Elliff, speaking to iTnews from Singapore. “Take Cirrus. If your bank is part of the Cirrus network, then you can access money at any Cirrus-affiliated bank ATM anywhere around the world.”
Soon, users might be able to use VeriSign identification tokens to access Australian Government services.
One of these involves the proposed AGOSP, a single access point for government services.
VeriSign already has a special distribution partner relationship with Australia Post.
“They do work with passport applications and work with banks – so it’s in-line with their business portfolio.
“They have launched the VIP Service here to their customers – banking, customers, governments, and so on. They act as our channel to the Australian market.”
Creating a secure access framework
VeriSign was part of the collaboration that developed the Open Authentication Organisation (OATH) specifications for end-user customer authentication technologies. VIP Services is OATH-compliant.
“Previously, the industry was focused on a solution called Federated Identities. It’s hard to get a framework working between different companies – a bank, an airline, a hotel – so that data can be safely transmitted without compromising privacy issues,” he said.
“[That’s why] we invested in a shared-authentication network. It essentially moves the authentication of an individual into the cloud.”
Elliff said that moving authentication into the cloud didn’t affect user’s privacy in this case.
“All of the customer’s information is stored in the relevant organisations,” said Elliff.
“All we know is the serial number of the device, and the one-time password to be verified. These get passed through out systems, and all we check is whether the serial number and that one-time key are right or wrong.
“That’s why VIP and OATH are more secure than a federated identity scheme – with those, you’ve got to come up with rigid standards and liabilities about who gets to see what information as it’s passed around the internet.
“By comparison, VeriSign is a very simple solution that doesn’t interfere with privacy.”