sim security
Franck Borghino explains why he believes the process of One-Time Passwords are the future of secure password authentication in the mobile marketplace, and how the process could open up markets to third parties and beyond.
Digital security remains a major concern for consumers, businesses and governments today. According to recent European Commission estimates, online scams are now the fastest-growing category of fraud in Europe.1
Everyday we read new reports of online threats such as phishing and spamming. Every other day we see all types of organisations discussing their efforts to counter these threats. Whether it’s an online auction site or a software vendor, different companies will promote different visions of digital security.
The key point to draw from all this rhetoric is that security is being used as a business differentiator. Better security leads to increased confidence. If you can increase the confidence of your customers, the chances are they would rather buy off you than anyone else.
So how can mobile operators get in on this action? At Gemalto, our view is that the secret lies in the SIM.
“On the Internet, nobody knows you’re a dog.”
This strap-line appeared in a cartoon in the New Yorker, in July 1993 when the Internet, as we commonly know it, was in its infancy. Thirteen years later the problem still exists and there is a genuine need for stronger authentication because, for many online services, the traditional password is just not good enough.
On average, one person can have more than a dozen passwords. Passwords have proliferated to the point where users are overwhelmed with trying to manage them and often compromise security policies by creating weak passwords, sharing them, or even writing them down in places that other people can easily get to.
Whether it’s credit card details, email addresses or social security numbers, we now store an incredible amount of personal information online. This precious information can be stolen more easily from any place and at any time by hackers using software programs that can copy and crack user passwords in seconds. This offers little confidence to ‘Joe Consumer’.
Indeed, in a recent Gartner survey, over 80 percent of respondents said they would buy more from an online vendor who offered them more than just a user name and password to protect their accounts. And it’s not just consumers who need a stronger authentication. Corporations that want to provide services to their employees such as Virtual Private Networking (VPN) when roaming, also need confidence that sensitive information will not be compromised.
Typically, for authentication to be considered as strong, it must meet two out of three factors – commonly known as “two-factor authentication”. It should be something you know (such as a pin code), something you physically have (a smart card) or something you are (e.g. your fingerprint). So the rationale is that when the pin code as ‘something you know’ is supported with a smart card (something you have), authentication is much stronger and the threat of ‘hacking’ significantly reduced.
The shared secret
There are of course different flavours of two-factor authentication. For our mobile operator customers, we’re seeing uptake with EAP SIM (Extensible Authentication Protocol) and with One-Time-Passwords (OTP). Herein lies the secret.
For the purpose of this article, I’m going to focus on OTP, which is essentially a solution that makes it more difficult to gain unauthorised access to restricted resources such as a computer account. Traditionally, static passwords can be more easily accessed by an unauthorised intruder if they are given enough attempts and time to do so. By constantly altering the password, as is done with a OTP, this risk can be greatly reduced.
There are basically two common types of OTPs. The first type uses a mathematical algorithm to generate a new password based on the previous, and a second type is based on time-synchronisation between the authentication server and the client providing the password. Either way, the principle of OTP lies in what we call a ‘shared secret’ (or technically a cryptographic key) between the client and the authentication server.
At Gemalto, our OTP solution is based on open standards, which adhere to OATH, the industry wide Initiative for Open Authentication launched in February 2004. As a standard, OATH ensures that secure credentials can be provisioned and verified by disparate software and hardware platforms. Using this standard, our OTP solution offers a 160bit ‘shared secret’ using a counter based on the HMAC-SHA-A cryptographic standard – operating at both the client and server side.
The heart of the Gemalto solution is a SIM Toolkit application, loaded onto the user’s SIM card, which transforms the subscriber’s handset into an authentication token. When initiating a transaction that must be secured – making a payment over the Internet, for example, or requesting confidential information – all the user needs to do is connect his handset to his PC (USB cable, Bluetooth, WiFi) and let the PC ask for credentials directly for the SIM card (for security reasons, the SIM will require a PIN code to be entered before responding to the PC). The user then submits the password with his or her user name. When the validation server receives the password, it computes a password for comparison. If they match, it knows the transaction is genuine. The diagram above illustrates the OTP process.
Never mind content, the SIM is king
As the diagram demonstrates, SIM-based authentication is not necessarily just about services between the mobile handset and server but a method for extending value across other network devices such as the PC.
In this model, the SIM not only provides secure and easy access to the GSM/CDMA and UMTS network but is now a powerful tool for digital security. Going back to my earlier point about security being the differentiator, the opportunity for mobile operators to challenge other, more established companies providing Internet services becomes all the more apparent.
With SIM-based OTP, there are three immediate advantages for the mobile operator:
• Opens up new revenue opportunities – positions the operator as a gateway for value-added services that demand high levels of security.
• Paves the way for new partnerships – makes the operator an ideal partner for banks and other institutions needing strong end-user authentication.
• Adds value in the corporate sector – provides the strong end-user authentication companies need to grant access to sensitive corporate resources.
For the consumer, the application on the SIM transforms his/her handset into a secure authentication token with a number of benefits:
• Simple to use – there’s no need for subscribers to remember specific procedures or carry a specific authentication device like a dongle.
• Watertight security – even if an OTP is intercepted, it’s quite useless to the criminal because it will never be used again.
• Inspires confidence – users can take full advantage of anywhere, anytime services with the certainty that all transactions are fully secured.
We are very much at the beginning of what we are calling the authentication ecosystem but, as described, the possibilities are vast. In the short term, OTP can help customers establish confidence when using operators’ internal WAP and Web services such as music downloads. The next step is to move quickly and extend this trust to a number of partners by offering secure access to third party services like banking or even VPN. Eventually, through the ‘shared secret’, the world is truly their oyster – consumers, businesses and governments are more security conscious and using two-factor authentication such as OTP to improve their online experiences. Gemalto’s approach is to think big, start small and move fast.
1Source: VNU.com 26 Jan 2006
