Shibboleth Developers

[Peter Williams <>]

April cites:    Cell Phone - your ID to get a Onetime Password  U.S. Patent 
no. 6,993,658

Assuming this is the patent one has licensed, the disclosed method basically 
requires that the OTP request be communicated over cell (and not the 
internet) - it's an old, manual 2 way pager concept, that is.

There are no general claims about any and all OTP tokens delivered over the 
internet. The claim construction is very specific to the art of the method, 
as you'd expect the PO to insist upon. Use a different method, the patent 
power is not relevant (as is always true). 

The method is linked to particular system claims, which have particular 
control protocols. One can easily deviate from their peculiarity, since its 
tied to particular account lockout behaviors at an SP. Perhaps SPs... don't 
have "user account", being stateless.

In the openid world, IDPs often integrate with "phonefactor." The request to 
generate the key/otp (duely relayed to a pager feature over SMS) is 
communicated WITHOUT using the user's personal device as a bearer for the 
request, and without using a cell network to communicate the request.


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Paul Hethmon
Sent: Monday, November 29, 2010 9:29 AM
To: Shibboleth Dev
Subject: Re: [Shib-Dev] IdP One Time Password SMS Authentication

On 11/29/10 12:20 AM, "RL 'Bob' Morgan" 
<>
 wrote:

>> As far as the OTP feature is concerned, I can be very specific about 
>> the desired timeline: We would like to demo a new login interface 
>> (based on
>> OTP) to our tools at Fall 2011 I2MM.
> 
> Any number of extensions to the current IdP have been developed, 
> including login handlers of various kinds.  A featureful OTP login 
> handler written for IdPv2 would have to be modified to work with 
> IdPv3, but presumably most of it would still apply.  So if you really 
> want OTP functionality in a Shib IdP real soon, you'll need to see 
> that it gets developed as an extension by someone outside the current 
> funded project team.

On a more technical note, what level of OTP are you considering? Meaning I 
know of 3 approaches:

1. email to sms
2. sms via a sms "modem"
3. sms via an integrator (direct IP connect)

I'm figuring approach #1 or #2 based on cost. #3 has a very high cost to 
simply set it up and have it available.

Also, just for the record, there is a patent in the US for the delivery of 
OTP via SMS. Held by April Systems out of Sweden (www.april.se). My company 
has licensed that from them at one time but I have no other connection to 
them or the patent.

thanks,

Paul