Profiles & Certification

What OATH Certification Covers

OATH certification focuses on verifying correct implementation of OATH standards and associated profiles. Certification typically covers:

Conformance to specific OATH profiles (e.g., HOTP-based token, TOTP authenticator).
Interoperability between authenticators and validation servers.
Correct handling of security-critical edge cases defined in the standards.

Certification is not a guarantee of overall product security; rather, it is a statement of conformance to OATH-defined behavior.

Example Profiles

Profiles specify concrete combinations of algorithms, parameters, and behaviors. Examples include:

HOTP Token Profile
Counter-based OTP using RFC 4226 with well-defined counter handling, OTP length, and resynchronization behavior.
TOTP Authenticator Profile
Time-based OTP using RFC 6238 with specific time step, hashing algorithm, and drift handling.
OCRA Transaction Signing Profile
OCRA-based challenge/response for transaction signing, including canonicalization of transaction data.

Profiles allow vendors and deployers to use a common language when specifying requirements and evaluating products.

For Vendors

If you provide authenticators, tokens, or server software that implements OATH standards:

Identify which profiles your products implement.
Use OATH reference test suites and documentation where available.
Document your products’ OATH conformance clearly for customers.

For Deployers

If you procure or deploy authentication solutions:

Specify required OATH profiles in RFPs and design documents.
Prefer solutions that clearly declare and, where applicable, certify OATH conformance.
Use OATH profiles as a basis for interoperability testing.

Certification Documentation

For detailed information on specific certification programs, criteria, and test procedures, refer to the documentation provided in the Resources section or through official OATH channels.