Feitian OTP Authentication System
FOAS - One Time Password Authentication and Token Management System

The value of an institution depends significantly on the way how critical communications, transactions, and sensitive data is managed. Stable regulation of access to information networks is the cornerstone of the trust relationship necessary to conduct successful operations in the climate of contemporary commerce, exchange and management.

The fixed username and password schemes that proliferate across a vast majority of servers, websites, and networks are largely ornamental and provide little to no defense against the highly advanced and specialized tools wielded by modern cyber criminals. In addition to their susceptibility to being misplaced, misused, lost, guessed, or stolen. Dynamic One time password (OTP) technology is a proactive measure that institutions can adopt to quell the danger of the threat posed through this inherent weakness. OTP functions on the basis of a constantly regenerated numeric password sequence stored on a hardware token distributed to end users; a unique password is created and subsequently entered to gain secure access at each log-in.
​
FOAS is engineered to comply fastidiously with the stipulations set forth by the initiative for open authentication (OATH) consortium, a group which unites the foremost industry experts and specialists in the field of strong authentication and determines standards ensuring easy integration and mutual interoperability of products offerings by participating members. As such FOAS can be used seamlessly with any products certified according to the OATH criteria making it a highly adaptable back end server solution.

When used in conjunction with components of the Feitian family of OTP products, FOAS delivers a complete linear solution which streamlines all authentication procedures from deployment to provisioning and maintenance; significantly reducing IT overhead expenses. FOAS is a multi-channel identity verification system which can simultaneously validate the user to a server and vice versa. Moreover, FOAS can establish a highly secure communication environment by providing digital signatures for web based transactions. 

​FOAS has a centralized management interface that allows for the convenient management of different organizational systems. One of the added benefits of a inclusive compliance architecture by Feitian is the ability of FOAS to support a wide range of operating platforms, authentication protocols, programming languages, and web scripts. FOAS seamlessly integrates with existing third-party authentication components as well as systems based on Radius protocol. Within the FOAS system administrators can easily regulate functionality of all users, hardware tokens, agents and log requests. Basic functions such as adding, auditing, editing, and deletion are supported through organized and intuitive profile grouping. Primary operators can assign and differentiate the level of access rights and privileges for separate accounts as well as delegate responsibility by specifying distinctive management roles for various accounts.

Within the FOAS system the process of token integration can be simple and intuitive. Typically there are three integration methods:

1. Using existing Radius protocol on the application server to install authentication agents
2. Integrate directly with authentication agents
3. SDK interface integration

Essentially FOAS is comprised of three main components:

1. Authentication server
2. Management tool
3. Authentication agent

Supplementary parts are the OTP server database management system, the SDK interface for customization and the end user OTP hardware tokens.

The authentication agent functions as a bridge between the authentication server and an application server. When an end-user logs in the application server, an authentication request is sent and a result received from the authentication server through the agent in order to decide whether the request is valid. The authentication agent is not necessary in every deployment scenario; applications integrated through Radius have no need for an agent.

The management tool has an easy-to-use web interface to provide remote management and maintenance of end-users, OTP token, authentication servers, authentication agents and log information from the database. The database management system is the foundation of the OTP Server Authentication System containing most of the system data. Database management system can be chosen according to the specific demands of the client.

---

Benefits

Supports a Wide Range Of Platforms
FOAS can integrate smoothly into all major operating systems and support multiple databases with ODBC or other specific interface connection. The FOAS system also maintains full set development interfaces in various programming languages.

Centralised System Management
The web base management tool provides for secure remote management. Administrating a host of flexible settings is regulated through central authentication for networks or computer operating systems. Support multiple authentication services with different authentication settings on one computer.

Proven Track Record For Large Scale Deployments
FOAS handles load balancing for multi-authentication services with a concurrent service rate which can execute thousands of authentication per second and support more than ten million end-users. The system was engineered for co-operability with various authentication agents.

FOAS Enhanced The Security Of Application Servers
Dynamic passwords are randomly generated unique numeric sequences used as log-in credentials. Use of dynamic passwords can prevent threats like replay, peep or monitoring. Fixed password can be used together with dynamic passwords to form two-factor authentication.

FOAS Supports The Entire Suite of Feitian OTP Hardware Tokens
With FOAS as a stable back end foundation, users can adopt the Feitian hardware solution that best fulfills their specific demand. OTP c300 token is improved by PIN protected access, both the challenge code and time-factor component are necessary to initiate a challenge-response dynamic password or transaction signature. End-users can choose to cross validate an application server and vice versa, preventing leakage of sensitive personal data.

Features

​Automatic Synchronization
The authentication server has the flexible feature to automatically synchronize a token during authentication if the token is found to be out-of-sync.

Multiple Token Supports
As for hardware tokens, FOAS supports event-based OTP c100, time-based OTP c200, challenge-response OTP c300 and event-based-and-PKI-combined OTP c400 tokens as well as mobile OTP tokens based on event, time or challenge-response.

Multiple Authentication Methods

• Single dynamic password authentication - suitable for application that do not requires high security
• Static and dynamic password authentication can be employed together to log into application server. This method is commonly used to bring secure authentication of current application server to the next level
• Challenge-response authentication method for application server with high security requirements. This method is slightly more tedious and authentication process involves more steps. However, it provides higher security and more interaction
• Mutual authentication method against fake application server. End-users, before proving their personal information, can verify the real application server. 
• Transaction signature authentication method for application server to authenticate high value critical transactions. This is to ensure these transactions are indeed made by the end-user who claims to be.  

RADIUS Server Support
According to pre-configured settings, the authentication server can send authentication request to a designated RADIUS server and collect authentication result to send back to the application server 

High Performance
The authentication server supports more than ten million concurrent end-users, and single server can reach concurrent processing rate of 3000 times per second. 

Multiple Algorithms

• HOTP algorithm from OATH
• TOTP algorithm from OATH
• OCRA algorithm from OATH
• SM3 algorithm from National Security Standard

Prevention of Dictionary Attack
The authentication server is able to detect that a particular end-user has executed a number of failed authentication (configurable retry counter), it will lock out that end-user. During this account locked period, the authentication server will refuse any authentication request submitted by this end-user until the account is unlocked and reset to operational state. This is an effective prevention for dictionary attacks.

Prevention of Denial-of-Service Attack
The authentication server will delay sending a failed authentication result, which effectively prevents denial-of-service attacks.