Cell-OTP™ Service Administrators Guide Version 1.1 - Digi-Sign


Title:

Cell-OTP™ Service

Administrators Guide

Version 1.1

Document Type: Cell-OTP™ Administrators Guide

Reviewed: Technical Department

FileTracker: S:\External\Cell-OTP\Cell-OTP Service Administrators Manual v1.1.doc

Copyright: Copyright © 2002-2011, Digi-Sign, The Certificate Corporation

Contributors:

Name Code Date Revision

Author/Design

P. Michalski PM001 26 Jan’ 2009 n/a

Technical

M. Ravel MR001 17 Mar’ 2010 n/a

Approved

P. Reynolds PR001 17 Dec’ 2010 n/a


Table of Contents

1 Introduction ___________________________________________________4

1.1 Executive Summary __________________________________________4

2 Cell-OTP™ Overview _____________________________________________5

2.1 What is Cell-OTP™ ___________________________________________5

2.2 Why You Should Use Cell-OTP™ _________________________________5

2.3 How Cell-OTP™ Works ________________________________________5

2.4 How Cell-OTP™ is Issued & Managed _____________________________6

2.5 Cell-OTP™ Versions __________________________________________6

2.5.1 Cell-OTP™ Service ____________________________________________ 6

2.5.2 Cell-OTP™ Server ____________________________________________ 6

2.6 Using Cell-OTP™ _____________________________________________6

2.6.1 Secure Server Access _________________________________________ 7

2.6.1.1 Administrator Invited __________________________________ 7

2.6.1.2 Subscriber Requested__________________________________ 7

2.6.2 Cell-OTP™ Storage ___________________________________________ 7

2.6.3 Multiple Site Accounts _________________________________________ 7

2.6.4 Cell-OTP™ Simple Deployment __________________________________ 7

2.7 Server Requirements _________________________________________8

3 Using Cell-OTP™ ________________________________________________9

3.1 Site Identification [SID] Number ________________________________9

3.2 Administrator Account ________________________________________9

3.3 Cell-OTP™ AS Management System ______________________________9

3.3.1 Create Site Details___________________________________________ 10

3.3.2 Manage Users ______________________________________________ 12

3.3.3 Manage Site Templates _______________________________________ 13

3.3.3.1 Authentication Services _______________________________ 14

3.3.3.2 AddIdentity_________________________________________ 14

3.3.3.3 AuthenticateIdentity__________________________________ 15

3.3.3.4 getServerTime ______________________________________ 16

3.3.3.5 Templates for Calling Services __________________________ 16

3.3.3.6 SMS / Email Options__________________________________ 18

3.4 Support___________________________________________________19


1 Introduction

This guide is intended to assist Administrators in selecting, configuring and

administering the Cell-OTP™ one-time-password, two factor

authentication system. It is assumed that the audience and readers of

this guide have a basic understanding of the concepts of information

technology and the administration and management of web servers.

1.1 Executive Summary

Feature Benefit

As more applications use

the internet, security is

an issue

As more and more applications are hosted and accessed

on the internet, how these systems are protected to

prevent unauthorised access is of paramount importance

Usernames & passwords

do not provide the

security you need

Usernames and passwords provide limited protection and

should not be considered as sufficient security for your

systems access

To improve security, a

second layer of protection

is needed

Adding a 'second layer' of protection, called 'two factor

authentication', is the preferred security option that

strengthens the existing username and password access

‘Something you know’ &

‘something you possess’

When you combine usernames and passwords (something

the user knows with something the user possess) you

achieve the desired two factor authentication security

There are many two

factor authentication

solutions

One-Time-Password [OTP] hardware tokens, software

agents, mobile phone SMS technology and authentication

servers, all offer good two factor authentication

But they are cumbersome

& expensive to implement

Purchasing and installing the central hardware and then

distributing hardware to end users can be very costly

Whilst Digi-Access™ is

simple & inexpensive to

deploy

Digi-Access™ uses military grade digital certificate

security that can be activated and deployed at a fraction

of the costlier alternatives

Digi-Access™ lacks

complete mobility

There are situations where Digi-Access™ cannot meet the

demands of your environment and the best alternative is

Cell-OTP™ fills this gap &

is completely mobile

The OTP hardware token can now be replaced by using

your cell phone to generate the One-Time-Password

Highly scalable Cell-OTP™ can issue and manage millions of users

No maintenance costs The per user, per annum cost means there are no hidden

costs or no additional annual maintenance charges

Overall best value for

money, mobile two factor

authentication

Faster to configure and enable. No hardware or software.

No specialist engineering personnel. Makes Cell-OTP™ the

most efficient, mobile two factor authentication solution


2 Cell-OTP™ Overview

As more organisations choose to host business critical applications on the internet, ensuring

that only authorised users can access these applications is of paramount importance.

Usernames and passwords (something that you know - single factor authentication) cannot

be considered a secure method of protecting this data. And responsible organisations have

been using two factor authentication (something that you know combined with something

you possess) to protect these assets.

Probably the simplest two factor authentication system to implement is Digi-Access™,

however, when the issue of high mobility arises, then an alternative to Digi-Access™ is

required. Cell-OTP™ ‘fills the gap’ between Digi-Access™ and complete mobility by using

your cell phone to generate one-time-passwords [OTP]. As implied in the name, these

passwords can only be used once and because they are generated on the cell phone device,

are impossible to copy, steal, reuse, etc.

2.1 What is Cell-OTP™

2.1.1 Strong security

on your cell

phone

Cell-OTP™ is the affordable and easy to deploy identity

management and strong two factor authentication solution that

uses your cell phone to generate one time passwords [OTP]

2.1.2 Unique one

time password

generator

Cell-OTP™ is a small application that is installed on your cell

phone, like a ring tone or game, that generates the one time

password [OTP] that can be used only once, to login to a server

2.1.3 Synchronised

with the server

The server login uses scripting languages and RADIUS

technology to synchronise the OTP with the server login

2.2 Why You Should Use Cell-OTP™

2.2.1 More secure

access to

digital assets

Online system owners that wish to secure access to their online

systems use Cell-OTP™ to provide strong two factor

authentication to the users of these systems

2.2.2 Unique identity

cannot be

copied or

shared

Every request for the OTP is unique and can use both letters and

numbers to create an exponentially long and unique password

that is simply too complicated to be ‘bluffed’ or ‘bruted’. And

every password can only be used once

2.3 How Cell-OTP™ Works

2.3.1 Passwords

offer single/one

factor

authentication

When you login to a secure online site or system with a

username and password, this username and password is

'something you know'. This is single or one factor

authentication

2.3.2 Cell-OTP™

adds a second

security layer

If the site requires Cell-OTP™, then in addition to knowing your

username to login you must also have the unique OTP.

Cell-OTP™ is 'something you have' and this adds a second layer


of security known as two factor authentication

2.3.3 Organisations

that care about

security use it

It is this additional layer of two factor authentication security

that protects you and the information you are sending and

viewing. Organisations that use Cell-OTP™ are typically

renowned for respecting the privacy, security and integrity of

their end users and customers

2.4 How Cell-OTP™ is Issued & Managed

2.4.1 The Cell-OTP™

system issues

the certificates

Cell-OTP™ is issued by the Cell-OTP™ Authentication System

[COAS] system. Cell-OTP™ can be downloaded manually to

your phone or the application can be sent by SMS

2.4.2 Cell-OTP™ AS

controls users

The COAS system is used to enable/disable users and to add

additional site access details to the cell phone

2.5 Cell-OTP™ Versions

The Cell-OTP™ application on the phone is synchronised with the Cell-OTP™ Authentication

System that can be delivered as installable software or offered as a service:

2.5.1 Cell-OTP™ Service

2.5.2 Cell-OTP™ Server

2.5.1 Cell-OTP™ Service

The Cell-OTP™ Service is a Software-as-a Service [SaaS] that is suitable for server and web

sites requiring two factor authentication OTP and identity management but where your

organisation does not require ownership of the actual installed software.

If your web site is hosted and/or you don’t want to maintain a costly identity management

system on your server, but you still want your customers to feel secured with this advanced

and innovative technology, then Cell-OTP™ Service is recommended.

2.5.2 Cell-OTP™ Server

The Cell-OTP™ Server AS can is easily installed in-house. It is a powerful two factor

authentication OTP and identity management package that can be linked to any Radius

protocol supporting device or software and/or integrated with any application using its API

and web services. The Cell-OTP™ Server AS can be queried by remote servers to provide

the authentication service to these other servers.

2.6 Using Cell-OTP™

With usernames and passwords, when users want to access a secure site the server checks

the user details against the details held in a database and proceeds according to the results.


Cell-OTP™ does not change the process. The only change is that when the user details are

checked your web site will use the Cell-OTP™ AS to query the validity of the details.

2.6.1 Secure Server Access

There are two principal type of user that require two factor authenticated access, namely:

2.6.1.1 Administrator Invited

2.6.1.2 Subscriber Requested

2.6.1.1 Administrator Invited

Users are centrally managed and added by the Administrator. The administrator has access

to the Cell-OTP™ AS management system and can manage the web site details, servers,

users and logs.

2.6.1.2 Subscriber Requested

When a users register at a website, for example, they enter their details and submit a

request to be registered at the web site. The program adds the user to the database and

may request to verify the user by sending an email for final verification. The Cell-OTP™ AS

does not change the process it only replaces (or adds to) the register function. The web

page will use Cell-OTP™ AS and API to register the user at the Cell-OTP™ AS and next time

this user tries to login the Cell-OTP™ unique, one-time-password will be checked.

2.6.2 Cell-OTP™ Storage

The Cell-OTP™ token is stored on almost any cell phone for ease of use and for portability

and mobility. However, the same application can also be stored on your computer.

2.6.3 Multiple Site Accounts

Cell-OTP™ is more than a single-use token. It is a multiple site accounts tokens manager.

You can add multiple accounts and manage them using the Cell-OTP™ on your phone and

each account has a different OTP.

The Cell-OTP™ AS creates an individual user account and each user account has a shared

secret that uses a long string called the ‘Secret Data’. When adding a new account in the

Cell-OTP™ AS, the Secret Data value is entered once. And this Secret Data can then be

assigned to multiple login accounts at multiple locations.

2.6.4 Cell-OTP™ Simple Deployment

To make the deployment process simple for the customer, there are multiple ways for

delivering the Cell-OTP™ software to the customer cellular and adding the creating the user

account.


Using the Cell-OTP™ API, you can customise multiple ways to deploy the Cell-OTP™

software. The basic option is to invite the user to download and install the Cell-OTP™, just

as you would install any other cell phone application or game.

Once Cell-OTP™ is installed on the cell phone the user will use the menu item ‘Add Site

Account Manually’ to add a new account. In this case the user must know the Secret Data.

Usually the Secret Data is sent to the user by SMS, email, surface mail, or is personally

delivered.

Alternatively, the user can be sent an SMS with the download URL and then can add the

account manually. Or, using the Cell-OTP™ AS, the SMS can contain both the URL and the

account Secret Data as a single, one-click, install.

2.7 Server Requirements

The server, web site or service that wants to use Cell-OTP™, must have a fixed IP address.


3 Using Cell-OTP™ Service

To successfully implement the use of Cell-OTP™, there are X simple steps that must be

followed:

3.1 Site Identification [SID] Number

3.2 Administrator Account

3.3 Cell-OTP™ AS Management

3.3.1 Manage Site Details

3.3.2 Manage User Accounts

3.3.3 Manage Site Templates

3.1 Site Identification [SID] Number

The Site IDentification [SID] is a unique number code that is assigned to your account and

is used on the server to communicate with the Cell-OTP™ AS. During the Cell-OTP™

ordering process, you will have been asked to provide:

- Site/server URL or fixed IP Address

- Administrator’s contact details

The SID is unique for each server and should be kept in a safe place.

3.2 Administrator Account

Using the Administrator details provided when ordering Cell-OTP™ the Administrator’s

account is created and the Secret Data sent to the Administrator to login to the Cell-OTP™

AS.

3.3 Cell-OTP™ AS Management System

The Cell-OTP™ AS is located at: www.megaas.com/wisecat and the Administrator uses their

SUD, username and Cell-OTP™ one-time-password, to login to the Cell-OTP™ AS.

The Cell-OTP™ AS allows the Administrator to manage:

- Site details

- Users and import users


- Site Logs

- Site template messages

- Send SMSs

3.3.1 Site Details

Short Title: abcinc.com

Company: ABC, Inc.

Contact Name: Bob Smith

Email: bob.smith@abcin

Phone: 1122333

Country: United Kingdom

SD Length: 8

Otp Length: 6

Minus Grace: 3

Plus Grace: 3

Site IP: Enabled: True

Enable Register: False

Disable After: 3

Login attempts.

Enable After: 0

hours.

SMS Credits 3,000

Deploy Time 24

Default Jad DIGI1V2

Site notices can be sent to the Contact Email/Cell Phone (SMS requires credits):

New Registration: by Email

Downloaded: by Email

Id Disabled: by Email

Site Updated: by Email

Short Title – A sort name for the site. We suggest no more then 15 characters.

When Cell-OTP™ tokens are deployed by SMS to new users this

value is used as the Site name at the Cell-OTP™ token

Company – full legal company name

Contact name – the admin name

Email – the contact Email. The Email address will be used for automatic

messages and notices generated by the system

Phone – the contact Cellular phone number. This phone number will be used

for automatic messages and notices generated by the system.

Please do not enter + or blanks or leading zeros. The number

should be: country code + phone number


Country – choose the admin country of residence

SD Length – the length of the Secret Data to be generated for each user

OTP Length – the length of the OTP to be generated for this site

Minus/Plus grace – clock miss match allowance. If the difference of the user Cellular

clock minutes and server clock minutes is between the grace gap

the OTP will be accepted

Site IP – your web site fixed IP

Enabled – the status of your web site. Disabled site can not be logged to

Enable Registration – allow the usage of the remote registration service. It means that

the web site will allow users to Register to the web site and will use

the register API

Disable after – the number of consecutive login failures before disabling the user.

Select 0 if you do not want to use this option

Enable After – the number of hours after a user was automatically disabled to

revive the user. Select 0 if you do not want to use this option

SMS credits – the current number of SMS credits available to the site. SMS

credits are purchased from Digi-Sign

Deploy time – when a Cell-OTP™ was deployed to a user by SMS it is available for

a limited number of hours from the time it was sent

Default Jad – the name of the Cell-OTP™ token to be deployed to users by SMS

New Registration – a short message will be sent to the administrator via the chosen

vehicle notify him of any new user that registered to the site.

Downloaded notice – a short message will be sent to the administrator via the chosen

vehicle notify him of any deployed Cell-OTP™ that was received by

the new registered user.

ID Disabled notice – a short message will be sent to the administrator via the chosen

vehicle notify him of any new user was automatically disabled by

the system.

Site Updated notice – a short message will be sent to the administrator via the chosen

vehicle notify him when a change was made to the site, for

example when SMS credits were added.


3.3.2 Manage Users

The Cell-OTP™ users management allows you to Check the users list, Add new users,

Update users and Remove users.

Adding and or updating a user

SID: 11111

User ID:

Full

Name: Email:

Phone: Company: Mega AS

Country: United Kingdom

Expiry Date:

< June 2020 >

Su Mo Tu We Th Fr Sa

31 1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 1 2 3 4

5 6 7 8 9 10 11

User Type: User

Authentication Type: Otp

Enabled: True

Send

Create

Message:

Do not send Select Message Default Email

Encrypt

SD with:

SID – unique SID provided for information only

User ID – a unique User ID, single string of letters and numbers

Full name – the user’s full name

Email – the user Email. This value will be used to send messages to the

user

Phone – the user’s Cell phone number, used for SMS deployment and

messages

Company – the user’s Company. By default it is the site Company


Country – the user’s country of residence

Expiration date – the user’s expiration date. After the expiration date he will not be

able to Login to the web site

User type – the admin can define another admin. The default is a regular user

Authentication type – the type of password used for authentication.

Enabled – the user status. Disabled user can not login to the web site. A user

may become disabled by the system if he failed a number of

consecutive times to provide the correct password.

Send create message – send a predefined message to the new user by a chosen vehicle

with details for the Cell-OTP™ token installation. When using SMS,

the user gets a URL link for downloading his personal Cell-OTP™

token. Notice – currently deployment by SMS works for cellular

types that support JAD type files download.

Select message – select the predefined template message to send to the user. There

are 2 default messages. The admin can add/modify the templates.

Notice – templates used for SMS should not exceed 150 characters.

Encrypt SD with – a password to encrypt the SD of the SMS deployed personal Cell-

OTP™ token for additional security.

3.3.3 Manage Site Templates

SID: 111111

Message Name:

Message Subject:

Message Body:

You can use the following

replaceable parameters.

Those will be populated

when the message is sent:

For identity Full Name:

@@fullname

For identity User ID:

@@userid

For identity Secret Data:

@@SD


Message name – this value is used for selecting the message. It should be a short

text

Message Subject – this value is used as Subject when the message is sent by Email

Message body – the message content. Notice – the are a number of replaceable

parameters that can be in the Message Body:

• For identity Full Name: @@fullname

• For identity User ID: @@userid

• For identity Secret Data: @@SD

These variables are replaced by the values prior to being sent.

For example, a template message such as:

Hi @@fullname, your Cell-OTP™ can be downloaded from: www.cell-otp.com/app

After installation start the Cell-OTP™ app’ and use the Menu to Add Site Manually.

Your Secret Data is: @@SD and your User ID is: @@userid.

Regards, Support Team

Will be sent as to new user bsmith:

Hi Bob Smith, your Cell-OTP™ can be downloaded from: www.cell-otp.com/app

After installation start the Cell-OTP™ app’ and use the Menu to Add Site Manually.

Your Secret Data is: 1q2w3e4a and your User ID is: bsmith.

Regards, Support Team

3.3.3.1 Authentication Services

The following are .Net Web Services to be used in Web Pages:

� AddIdentity - this is the Registry service. Add a new Identity.

� AuthenticateIdentity – perform the Authentication query.

� GetCATToken – prepare values for the Cell-OTP™ token, Is not for public use.

• getServerTime – get the current Server Time. Used to let the users compare with

their Cellular clock. Make sure the deviation is not over the grace allowed.

3.3.3.2 AddIdentity

http://www.megaas.com/wisecatservice/Service.asmx?op=AddIdentity

The values are similar the Management System - the Add new identity option


Parameter Value

txtSid: Your site unique sid

txtUserid: The new user id

txtFullName:

The new user’s full

name. Private Family

txtEmail: The new user’s Email

txtCompany:

txtPhone:

pdEnabled:

pdAuthenticationType: Otp, FixedPassword

txtCountry:

pdSendMessage: None, byEmail, bySMS

pdMessageTitle:

A template message

name

txtEncPassword:

Service returns XML. On success:

<?xml version="1.0" encoding="utf-8" ?>

<string xmlns="http://wisecat.services.com/">Success</string>

On failure:


<string xmlns="http://wisecat.services.com/">Failed. User ID already exists.</string>

3.3.3.3 AuthenticateIdentity

http://www.megaas.com/wisecatservice/Service.asmx?op=AuthenticateIdentity

Parameter Value

sid: Your site unique sid

userid: The authenticated User ID

otpassword:

The Cell-OTP™ generated

OTP

Service returns XML:


On success:


<boolean xmlns="http://wisecat.services.com/">true</boolean>

On Failure:


<boolean xmlns="http://wisecat.services.com/">false</boolean>

3.3.3.4 getServerTime

http://www.megaas.com/wisecatservice/Service.asmx?op=getServerTime

Service returns:


<string xmlns="http://wisecat.services.com/">6/15/2010

13:55:21.1621250</string>

3.3.3.5 Templates for Calling Services

The Services were developed using ASP.NET.

3.3.3.5.1 ASP 2.0 Template

AuthenticateIdentity

Dim xmlhttp

Dim DataToSend

DataToSend="sid=" & sid & "&userid=" & userid & "&otpassword=" &

otpassword

Dim postUrl

postUrl =

"http://www.megaas.com/wisecatservice/service.asmx/AuthenticateIdentity"

Set xmlhttp = server.Createobject("MSXML2.XMLHTTP")

xmlhttp.Open "POST",postUrl,false

xmlhttp.setRequestHeader "Content-Type","application/x-www-form-

urlencoded"

xmlhttp.send DataToSend

Dim resp

resp = xmlhttp.responseText


'---------------------------------------

if (instr(resp,"System.Exception") > 0) then

resp = replace(resp,"System.Exception:","")

resp = mid(resp,1,instr(resp,"at") - 1)

end if

Session.Timeout = 30

'-----------------------------------------------

'Check the verification result and move to the next page.

If instr(resp,"true") > 0 then

Session("isvalid") = "Y"

Session("LoginName") = userid

Response.redirect(SuccessURL + "?msg=You have successfuly Logged

into Digi-Sign Server")

Else

Session("isvalid") = "N"

Response.redirect(FailURL & "?msg=" & resp)

End If

3.3.3.5.2 PHP template

http://blogs.msdn.com/b/bramveen/archive/2009/09/03/using-php-to-connect-to-an-asp-

net-2-0-webservice.aspx

AddIdentity

'----------------------------------------------------------------------

' Build the registration process

'----------------------------------------------------------------------

'Valid values:

'pdEnabled = true / false

'pdAuthenticationType = Otp / FixedPassword

'pdSendMessage = None / byEmail / bySMS (for SMS the site has to have

SMS credits)

'pdMessageTitle= None / Message title (if title is wrong the send will

fail)

Dim DataToSend

DataToSend="txtSid=" & sid & "&txtUserid=" & userid & _

"&txtFullName=" & username & _

"&txtEmail=" & email & _

"&txtCompany=" & company & _

"&txtPhone=" & countrycode & phone & _

"&pdEnabled=true" & _

"&pdAuthenticationType=Otp" & _

"&txtCountry=" & countrycode & _

"&pdSendMessage=" & sendby & _

"&pdMessageTitle=" & messagetitle & _


"&txtEncPassword=" & txtEncPassword

Dim postUrl

postUrl =

"http://www.megaas.com/wisecatservice/service.asmx/AddIdentity"

resp = GetService(postUrl, DataToSend )

Session.Timeout = 30

'----------------------------------------------------------------------

' Check the registration rc

'----------------------------------------------------------------------

If instr(resp,"Success") > 0 then

Session("isvalid") = "true"

Response.redirect(successurl + "?msg=Your registration details

were sent to you " & sendby)

Else

Session("isvalid") = "false"

Response.redirect(failurl & "?msg=" & resp)

End If

3.3.3.6 SMS / Email Options

The Cell-OTP™ AS provides SMS or Email messaging capabilities when certain events occur.

The admin can set up the Cell-OTP™ site account whether to receive the messages by Email

or SMS. To receive messages by SMS the account has to have SMS credits. SMS credits can

be purchased from Digi-Sign and information is available on the main website www.digi-

sign.com/cell-otp

The following events will generate a message to the admin user Email or Phone number.

- Your Cell-OTP™ AS account was changed

- Users list was updated or new users added

- User was added or removed

The following will generate a message to a user Email or Phone number (depends on the

decision of the admin)

- When the user is added, his Cell-OTP™ details can be sent by Email or a personal Cell-

OTP™ Download URL can be sent by SMS. Sending a Download URL will work for certain

cellular types, for example – Symbian. We are working to extend that capability to a wider

range of cellular types.


3.4 Support

You can contact our support by Email: [email protected] and we will respond soon as

possible.

Cell-OTP™ Service Administrators Guide Version 1.1 - Digi-Sign

Documents

Transcript of Cell-OTP™ Service Administrators Guide Version 1.1 - Digi-Sign