Login
Login

Draft:X.1280

{{AFC submission|d|v|u=Baker232|ns=118|decliner=ToadetteEdit|declinets=20250521073843|ts=20250516060341}}

{{AFC submission|d|adv|u=Baker232|ns=118|decliner=Caleb Stanford|declinets=20250510200235|small=yes|ts=20250422004206}}

{{AFC comment|1=This is an advertisement for a particular product standard, not an encyclopedic article that covers information about the project as covered in reliable, independent sources. Caleb Stanford (talk) 20:02, 10 May 2025 (UTC)}}

----

{{Short description|Standard defining the framework for out-of-band server authentication(ITU-T X.1280)}}

{{Draft topics|software|computing|technology}}

{{AfC topic|stem}}

{{Draft article}}

{{Infobox technology standard

| title = X.1280

| long_name = Framework for out-of-band server authentication using mobile devices

| image =

| caption =

| status = In force (Recommendation)

| year_started = 2022

| version = 1.0

| version_date = {{Start date and age|2024|03|01}}

| preview =

| preview_date =

| organization = ITU-T

| committee = ITU-T Study Group 17

| base_standards =

| related_standards = X.509, X.1254

| abbreviation =

| domain = Cybersecurity,
Identity management,
Authentication,
biometric authentication

| license =

| website = {{URL|https://handle.itu.int/11.1002/1000/15661}}

|series = X

|alt=

|first_published=

}}

X.1280 is an International Telecommunication Union(ITU) standard for verifying a service provider before user information.{{Cite web |title=Free access for all to ITU-T standards |website=MIT Libraries |url=https://libraries.mit.edu/news/access-itu-t-standards/725/ |access-date=2025-05-16}}

The title of x.1280 is out-of-band server authentication. This standard contains out-of-band authentication and mutual authentication. The out-of-band authentication makes it difficult for attackers to intercept because the attackers need to hijack two channels at the same time. {{Cite web |title=Out-of-Band Authentication |website=Double Octopus |url=https://doubleoctopus.com/security-wiki/authentication/out-of-band-authentication/ |access-date=2025-05-16}} Mutual authentication can increase the security level compared to one-way authentication.

One-way authentication only verifies the user's identity, but mutual authentication verifies the user and the service providers. In this way, mutual authentication can help stop some kinds of attacks.{{Cite web |title=What is mutual authentication? |website=Cloudflare |url=https://www.cloudflare.com/learning/access-management/what-is-mutual-authentication/ |access-date=2025-05-16}}

  • On-path attacks
  • Spoofing and impersonation
  • Credential theft

X.1280 uses an out-of-band mobile authenticator, typically a smartphone, and may incorporate biometric authentication for applying MFA(Multi-factor authentication).

However, a key feature is that no additional hardware, such as dedicated security tokens, is required beyond a smartphone. It allows the use of a unified authenticator across various devices.

To authenticate via X.1280, prior registration is required.

When a service provider supports X.1280-based authentication, the mobile authenticator must first be registered and then used for authentication.

Purpose

The X.1280 standard is designed to:

  • Enhance security by enabling mutual authentication between users and service providers, ensuring protection against verifier impersonation.
  • Eliminate device dependency by using an out-of-band mobile authenticator, allowing seamless authentication across multiple devices.

Applications

X.1280 enables advanced authentication methods, including:

  • User-centric authentication: Users verify the service provider before providing credentials, simplifying the authentication process and enhancing security.
  • Mutual authentication: Both the user and the service provider verify each other, shifting from one-way to two-way authentication.
  • Unified authentication: A single mobile authenticator supports authentication across diverse devices, such as computers, smartphones, automated teller machines (ATMs), and artificial intelligence (AI) speakers, eliminating the need for device-specific authenticators.{{Cite web |title=ITU-T X.1280: Framework for out-of-band server authentication using mobile devices |website=ITU-T Recommendation Database |url=https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15661&lang=en |publisher=International Telecommunication Union |access-date=2025-05-16}}

Advantages

X.1280 enables out-of-band authentication, a method using a separate communication channel for authentication, requiring only a smartphone. Mutual authentication, where both parties verify each other's identity, helps reduce risks of fake site attacks, as demonstrated by EAP-NOOB {{Cite journal |last1=Aura |first1=Tuomas |last2=Sethi |first2=Mohit |last3=Peltonen |first3=Aleksi |title=Nimble Out-of-Band Authentication for EAP (EAP-NOOB) |journal=RFC |volume=9140 |year=2021 |url=https://www.rfc-editor.org/rfc/rfc9140 |access-date=2025-05-16}} and Ejiyeh's UAV D2D protocols.{{Cite arXiv |last=Ejiyeh |first=Atefeh Mohseni |title=Secure, Robust, and Energy-Efficient Authenticated Data Sharing in UAV-Assisted 6G Networks |class=cs.CR |year=2024 |eprint=2402.11382 }} Out-of-band authentication enhances this security by using a separate channel, as seen in similar protocols.

IoT security standards increasingly incorporate out-of-band authentication for enhanced security.{{Cite journal |title=Standardization Trends for IoT Security |journal=TTA Journal |volume=197 |issue=4 |year=2021 |pages=16–23 |publisher=Telecommunications Technology Association |url=https://tta.or.kr/data/androReport/ttaJnal/197-4-1.pdf |access-date=2025-05-16}}

Limitations

X.1280 requires a smartphone, limiting access for users without one. Companies operating servers must develop a mobile app, increasing implementation costs. Network setup complexity may increase in firewall environments due to required configurations, as seen in out-of-band authentication systems. Two-step login may increase authentication time, potentially causing user inconvenience. Similar complexities are noted in IoT authentication standards.

History

  • June 29, 2022: Registered as TTAK.KO-12.0383 by the Telecommunication Technology Association (TTA) in South Korea.{{Cite web |title=Mutual authentication technology based on out-of-band(OOB) for IoT devices |website=Telecommunications Technology Association (TTA) |url=https://www.tta.or.kr/tta/ttaSearchView.do?key=77&rep=1&searchStandardNo=TTAK.KO-12.0383&searchCate=TTAS |publisher=Telecommunications Technology Association |access-date=2025-05-16}}
  • 2022: Adopted by ITU-T as X.oob-sa.
  • March 1, 2024: Redesignated as X.1280 by ITU-T.

Process of Authentication

X.1280 authentication involves a two-step process: registering a mobile authenticator and performing mutual authentication between the user and the service provider.

  • Authenticator registration

File:Wiki X.1280 - Fig 1. Authenticator registration.png

  1. A user needs to install a mobile application to communicate with an authentication server.
  2. After that, the user needs to request registration from a client. It can be a PC or something else.
  3. Then, the client sends a registration request to the authentication server.
  4. The authentication server generates secure data. In process 8, when the mobile sends a request, the request must contain the secure data.
  5. The authentication server sends information that contains the secure data for verification.
  6. The client provides registration information to the user by an allowed method, such as Email, SMS, QR code, etc.
  7. The user inputs the data received from the client into the pre-installed mobile application.
  8. The application requests verification from the authentication server.
  9. If the request contains secure data, the authentication server registers mobile application information.
  10. The authentication server sends a verification key to the mobile application. The application stores the key.
  • Authentication process

File:Wiki X.1280 - Fig 2. Process of authentication.png

  1. A user who registered an authenticator(out-of-band authenticator) request logs in on a client.
  2. Authentication server receives verification request from the client.
  3. The authentication server generates secure data to verify the authenticator.
  4. The authentication server sends authentication information to the client.
  5. The client shows authentication information by text or sound, depending on the type of the client.
  6. The authentication server sends a dataset to the authenticator to generate authentication information.
  7. The authenticator generates authentication information. If the user attempts to log in on a fake client (e.g., a fraudulent web page), the authentication information displayed will differ from that generated by the out-of-band server authenticator.
  8. The authenticator provides authentication information by text or sound, depending on the setting of the mobile application.
  9. The user can approve or reject on the authenticator. When the user approves, additional Multifactor authentication steps (e.g., Knowledge : PIN, Possession: The mobile, Inherent : biometrics) may be required, depending on the verifier’s or mobile application policy.
  10. The authenticator generates user authentication information to send to the authentication server.
  11. The authenticator sends the user authentication information.
  12. The authentication server authenticates the user if the user's authentication information matches.
  13. The authentication server sends the user authentication result to the client.
  14. The client presents a post-login service if the result is positive.

References

{{Reflist}}