\

In the realm of operational technology (OT), environments can be quite diverse, each with its unique characteristics. As a result, it’s essential for solution providers to offer adaptability—to seamlessly integrate into various settings. Enter the OTAC solution: highly configurable and designed to flexibly fit different environments. This versatile solution can be deployed in multiple ways: directly onto a programmable logic controller (PLC) in standalone mode, on a central server within the OT network or in hybrid mode which bring the best of standalone and server mode deployments. 

OTAC auth MFA Deployment Model

Deployment Model

 Standalone

2024-08-12_14h23_49In standalone mode the solution is deployed directly onto a PLC. This offers the most robust solution as everything is running on the PLC and does not require any network connection. Since the OTAC auth MFA is running locally on the PLC, all authentication requests are handled locally. 

Server

In server mode the solution is deployed centrally on a server in the OT network. This offers the best solution for large scale deployment where you want to protect multiple PLCs with MFA. Each PLC redirects the authentication request to OTAC auth MFA server to verify the login details. 

2024-08-12_14h24_07

Hybrid

In hybrid mode the solution is deployed both on the individual PLC’s as well as centrally on a server in the OT network. This offers the best solution for large scale deployment where you want to protect multiple PLCs with MFA as well as have complete resilience for fail overs. Each PLC redirects the authentication request to OTAC auth MFA server to verify the login details, however in the event of a network failure or if the central server is down, the PLC is able to authenticate the user locally.  

2024-08-12_14h24_16

Software Components

OTAC auth MFA can be installed as a complete software with an Admin Portal for user management and onboarding as well as the accompanying mobile app (where OTAC is generated) available on Android and iOS.

2024-08-12_14h24_29

 

REST API

The REST API is hosted on a web server and offers important core functions to Verify OTAC, Register a new user and De-Register an existing user.

 

Admin Portal

The solution also comes with an intuitive administration web portal for managing users, roles, policies as well as license details.

 

User Database

The user database is used to hold user information. The user database can be integrated into the customer’s existing database server such as MS SQL, Oracle DB, Maria DB…etc. 

 

Mobile App

The solution comes with an out of the box mobile app on Android and iOS available on the Google Play store and the Apple app store respectively. The mobile app is responsible for generating OTAC and enforcing an additional factor of authentication such as a PIN or device biometrics such as fingerprint and FaceID.

SDK

For customers who like more flexibility and integration, the OTAC auth MFA also provides SDK.

2024-08-12_14h24_39

 

Application SDK

We provide an Application SDK in C++ that will allow customers to integrate user management and onboarding into their existing application.

 

Mobile SDK

We also provide a mobile SDK for Android and iOS to integrate the OTAC generation into their native mobile app.

Customer Deployment Examples

Customer A

2024-08-12_14h25_09

One of the top-tier PLC manufacturers made a strategic decision to safeguard their PLCs using OTAC authentication with MFA. Now, every newly manufactured PLC comes equipped with OTAC auth MFA right out of the box—a smart move to enhance security for their customers. To seamlessly blend with their existing services, they opted for the Standalone deployment approach, integrating OTAC auth MFA as an embedded SDK.

2024-08-12_14h25_29

Understanding Customer A’s Deployment and Installation Model:

1. User Interaction:

● When a user needs to log in to the engineering application, they are prompted for an entry code—the OTAC

2. OTAC Generation:

● Within their mobile app, we’ve embedded our mobile SDK.

● The user generates an OTAC using our mobile SDK. This OTAC serves as a secure token.

3. Connecting to the Engineering Application:

● Armed with the OTAC, the user then provides it to the engineering application.

● The engineering application establishes a connection via Modbus—a communication protocol—directly to the Security Service residing inside the PLC.

4. Security Service Handling:

● Inside the PLC, the Security Service extracts the OTAC.

● To ensure the user’s authenticity, the Security Service employs our Application SDK.

5. Validation and Authentication:

● Finally, the Application SDK validates and authenticates the user, granting access to the engineering application.

Customer B

2024-08-12_14h25_12

Customer B wanted to fortify the security of existing PLCs for their valued customers. They opted for OTAC auth MFA in server deployment mode. Here’s the breakdown:

  • Centralized Management: Customer B appreciated the centralized approach of OTAC auth MFA. It’s like having a vigilant guardian overseeing multiple PLCs simultaneously.
  • Deployment Strategy: For this setup, they chose the server deployment route and to complete the picture, they went all-in with a full Software install. 

2024-08-12_14h25_40

Customer B’s PLCs come with their very own Web Management Portal (WMP)—a web portal to control and oversee the PLC. Here’s how it all unfolds:

1. User Interaction: When a user wants to access the WMP they are prompted for an entry code—the OTAC.

2. OTAC Generation: Our trusty standard mobile app (available on both Android and iOS) generates the OTAC.

3. Forwarding the Request: The user hands over the OTAC to the WMP. The WMP forwards the request to the Verification API running on the central server via a secure HTTPS channel.

4. The Verification: Once the OTAC has been verified it returns the result back to the PLC and to the WMP.

Customer C

2024-08-12_14h25_14

Customer C, another leading PLC manufacturer, wanted to give their customers flexibility and a choice on whether to have OTAC auth MFA deployed in standalone mode running on each individual PLC or on a central server.

2024-08-12_14h25_50
  • Standalone Mode:
    ○ For customers with a small number of PLCs, they offered standalone mode.
    ○ Everything—OTAC auth MFA and all—runs directly on each individual PLC.
  • Server Deployment:
    ○ Customers with larger deployments could choose server deployment.
    ○ In this setup, everything runs on a central server, and each PLC forwards authentication requests there.

 

International CC Certification for OTAC
Our OTAC technology has obtained the global CC standard for its strong security, stability and reliability. 

Contact us today

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
sufficient to IDENTIFY user
Single-step IDENTIFICATION
and AUTHENTICATION
Uni-directional authentication in
off-the-network environment

Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.

OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks. 

No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI). 

 

Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.