Proxama Blog
High Risk Authentication
High risk authentication (banking, VPN), has always demanded separate hardware dedicated to authenticating users. There’s good reason for having this additional security layer. Called two-factor authentication, the logic is simple - if one device is compromised, overall security isn’t breached. Two common examples are:
- Card + reader. Your bank issues you with a card reader, which you use in conjunction with your bank card
- Multi-purpose token generators
Unsurprisingly, with mobile phone subscriptions now outstripping the number of TV, personal PC and credit card owners, there’s strong interest in using them for authentication.
It’s not just their popularity that makes mobile phones interesting here. SIM cards can run secure applications, capable of generating the same data as the card-reader and token generators. As is often the case, the challenges are of the business kind - not technical. The card is locked down and operators are on the whole un-willing to open the SIM card to third-parties. The most obvious alternatives are either not secure (Java applications can be decompiled easily), unreliable (SMS gets lost and can take a long time) or cumbersome (typing lots of data on a handset is prone to error).
Fortunately though, there are some more recent and less obvious developments which could put the mobile phone back in the authentication picture again:
- Applications on the iPhone cannot be decompiled easily; any algorithm to generate tokens is much harder to reproduce.
- What’s emerging as the preferred model for NFC sees the SIM card opening up for third party applications. With banks already in partnership with NWOs to load payment applications, they could simply add authentication tools.
- Companies like ARM have recognised this need with TrustZone. It goes further than existing secure elements (like SIMs) in that a mobile-handset can be certified as a PIN-entry device. It can set up a secure channel to the phones handset and screen, temporarily transforming it into a secure PIN-entry device. Implementations are set to be delivered in handsets late 2009.
As you’d expect, market leaders like Verisign have already launched an iPhone app with some success. And we’re being asked about mobile authentication a lot more. The security challenge isn’t over though, if mobile authentication follows the same pattern as most security attacks, with breaches consistently outside of threat models. Authentication presents some interesting challenges because every part of the system needs to be risk assessed.
Tagged with EMV Identity solutions Mobile Mobile payments Wallets
0 Comments. Posted by James 06 July 2009
Share this post
Subscribe via RSS
What's this blog about?
We're genuinely excited about smart cards, near field communication (NFC), mobile phones and IPTV. We'd have to be - we work with them every day. This blog is part of our quest to share our insights and spread the word about the benefits these technologies can bring to payments and ticketing, loyalty and service discovery. We hope you'll like what you read and join the debate.
If you want to talk to us directly - say hello.
Latest Entries
- NFC helping mobile phone crime
- NFC - a Future Mobile Hero?
- Mobile Authentication
- The Role of Standards in NFC
- Chrome OS
- High Risk Authentication
- Paving the Way for Safe Mobile Payments - the Mobile Phone Security Challenge
- Demo Night at MoMo London June 2009
- N is for NFC. The N Mark.
- Groundhog Day at NFC World Forum Europe
- Nokia’s NEW NFC 6216 Classic
- MoMo London - good news for mobile payments
- Contactless applications for 2012 Olympics
- The real dawning of the IPTV and interactive TV age
- Mobile Application Pain – An Antedote