Draft:X.1280

X.1280 is an International Telecommunication Union(ITU) standard for verifying a service provider before user information.

Unlike traditional authentication methods such as passwords, PINs, and One-time password(OTPs), which only verify the user's identity, this standard enables mutual authentication to verify both users and service providers. X.1280 uses an out-of-band mobile authenticator, typically a smartphone, and may incorporate biometric authentication for enhanced security. However, a key feature is that no additional hardware, such as dedicated security tokens, is required beyond a smartphone. It allows the use of a unified authenticator across various devices. To authenticate via X.1280, prior registration is required. When a service provider supports X.1280-based authentication, the mobile authenticator must first be registered and then used for authentication.

The X.1280 standard is designed to:

• Enhance security by enabling mutual authentication between users and service providers, ensuring protection against verifier impersonation.
• Eliminate device dependency by using an out-of-band mobile authenticator, allowing seamless authentication across multiple devices.

X.1280 enables advanced authentication methods, including:

• User-centric authentication: Users verify the service provider before providing credentials, simplifying the authentication process and enhancing security.
• Mutual authentication: Both the user and the service provider verify each other, shifting from one-way to two-way authentication.
• Unified authentication: A single mobile authenticator supports authentication across diverse devices, such as computers, smartphones, automated teller machines (ATMs), and artificial intelligence (AI) speakers, eliminating the need for device-specific authenticators ^[1]

• June 29, 2022: Registered as TTAK.KO-12.0383 by the Telecommunication Technology Association (TTA) in South Korea. ^[2]
• 2022: Adopted by ITU-T as X.oob-sa. ^[3]
• March 1, 2024: Redesignated as X.1280 by ITU-T. ^[4]

X.1280 authentication involves a two-step process: registering a mobile authenticator and performing mutual authentication between the user and the service provider.

• Authenticator registration

1. A user needs to install a mobile application to communicate with an authentication server.
2. After that, the user needs to request registration from a client. It can be a PC or something else.
3. Then, the client sends a registration request to the authentication server.
4. The authentication server generates secure data. In process 8, when the mobile sends a request, the request must contain the secure data.
5. The authentication server sends information that contains the secure data for verification.
6. The client provides registration information to the user by an allowed method, such as Email, SMS, QR code, etc.
7. The user inputs the data received from the client into the pre-installed mobile application.
8. The application requests verification from the authentication server.
9. If the request contains secure data, the authentication server registers mobile application information.
10. The authentication server sends a verification key to the mobile application. The application stores the key.

• Authentication process

1. A user who registered an authenticator(out-of-band authenticator) request logs in on a client.
2. Authentication server receives verification request from the client.
3. The authentication server generates secure data to verify the authenticator.
4. The authentication server sends authentication information to the client.
5. The client shows authentication information by text or sound, depending on the type of the client.
6. The authentication server sends a dataset to the authenticator to generate authentication information.
7. The authenticator generates authentication information. If the user attempts to log in on a fake client (e.g., a fraudulent web page), the authentication information displayed will differ from that generated by the out-of-band server authenticator.
8. The authenticator provides authentication information by text or sound, depending on the setting of the mobile application.
9. The user can approve or reject on the authenticator. When the user approves, additional Multifactor authentication steps (e.g., Knowledge : PIN, Possession: The mobile, Inherent : biometrics) may be required, depending on the verifier’s or mobile application policy.
10. The authenticator generates user authentication information to send to the authentication server.
11. The authenticator sends the user authentication information.
12. The authentication server authenticates the user if the user's authentication information matches.
13. The authentication server sends the user authentication result to the client.
14. The client presents a post-login service if the result is positive.