Standards & RFCs
This page collects the core OATH-related standards and technical resources maintained through the IETF and other bodies. These documents are open and royalty-free, and form the basis of many widely-used authentication systems.
Authentication Algorithms
| Standard | Reference | Status | Typical Use |
|---|---|---|---|
| HOTP – HMAC-based One-Time Password | RFC 4226 | Standard | Counter-based OTP for hardware tokens and software authenticators. |
| TOTP – Time-based One-Time Password | RFC 6238 | Standard | Time-synchronized OTP used by many authenticator apps and services. |
| OCRA – OATH Challenge-Response Algorithm | RFC 6287 | Standard | Challenge/response authentication and transaction signing. |
Key Provisioning & Management
| Standard | Reference | Status | Typical Use |
|---|---|---|---|
| Portable Symmetric Key Container (PSKC) | RFC 6030 | Standard | Secure container for provisioning symmetric keys to devices and servers. |
| Dynamic Symmetric Key Provisioning Protocol (DSKPP) | RFC 6063 | Standard | Protocol for secure remote provisioning of symmetric keys. |
Reference Architectures & Related Documents
-
OATH Reference Architecture 2.0 / 1.0
High-level architecture for strong authentication across clients, tokens, and validation servers. -
OATH Token Identifier Specification & OMP Registry
Conventions for identifying and registering OATH-compliant tokens and manufacturers. -
Fraud and risk-related specifications
Additional documents relating to fraud information sharing and risk-based authentication.
For the full list of documents, including historical drafts and supporting material, see the Resources section.