Will the ubiquitous handset become the ID of the future?
07 June, 2011
category: Biometrics, Corporate, Digital ID, Financial, Government, Library, NFC
From the bag phone, to the brick phone to the flip phone, the mobile phone has evolved quite a bit in the last 25 years. The overarching trend had been toward smaller and smaller devices, but this preoccupation with size seems to have reached a plateau. The focus now is squarely on adding capabilities.
For many using the mobile device as a phone has become secondary to e-mail and Internet-enabled applications. Individuals will walk out of their homes without keys or a wallet, but seldom will they leave without their phone.
“The mobile phone is closely bound to you,” says Steve Dispenza, CTO and co-founder at PhoneFactor. “At the end of the day the phone is a good solution to a difficult problem … because of the variety of attacks, you can’t trust the Internet.”
New smart phones have the processing capabilities of computers, and they are going to play a significant role as an identification token as identity applications evolve, experts say.
Airlines already enable travelers to download boarding passes to smart phones. Hotels enable guests to download room keys and bypass the front desk. Corporate users generate one-time passcodes on handsets to gain access to computer networks and authorize transactions. But this is just the beginning.
While it’s not likely that we’ll see passports and driver license credentials on mobile phones anytime soon, many believe it’s not an if but a when. There are complex issues to resolve–such as issuance, interoperability and trust–but the technology is, or will be, capable.
Near field communication, which only seemed like a dream in North America months ago, is on the verge with virtually every mobile carrier, handset manufacturer and payment processor announcing plans for 2011. Handsets equipped with NFC chips could readily be used for physical or logical access tokens with the addition of some software.
But could existing smart phones without NFC be used in place of smart cards to secure access to Web sites and computer networks? There are only a handful of computers shipping with embedded contactless smart card readers, but Bluetooth is another option to tether PCs and devices, and there is the ubiquitous USB port that could be used to connect the mobile phone to a computer.
The U.S. Department of Defense is looking at the potential use of mobile phones in place of its Common Access Card, Defense Department officials told Re:ID in the Fall 2010 issue. Sources also say that the federal government’s Interagency Advisory Board is evaluating how mobile devices could be used in place of government employees’ PIV credentials.
As efforts to secure online identities increase the government and private sector will be looking at a variety of solutions for consumers. With mobile phones at the saturation point, many think the form factor will be tapped for online identity.
Despite all the positive progress, mobile devices aren’t without issues. There are numerous platforms and operating systems to support, and the possibility for new categories of viruses and malware looms large.
Two-factor authentication already happening
For many using the mobile phone for an extra level of authentication may seem futuristic, but it’s already here for some. The use of one-time passcodes with mobile devices is commonplace. Smart phone owners can download an app to generate the codes while other providers send codes via text messages.
RSA, Gemalto, Anakam and PhoneFactor are among the companies already offering these solutions. “There’s quite a lot of uptake because most or all phones support text messages,” says Alan Goode, director at the UK-based consultancy Goode Intelligence.
The one-time passcodes provide an extra authentication factor for login to Web sites or to verify transactions, Goode says. In the past the passcodes had been generated by fobs that individuals would keep on their key rings. Migrating this function to mobile devices gives users one less thing to carry and removes the organization’s role in hardware token management.
PhoneFactor offers two and three factor authentication via the mobile, says Dispenza. The majority of interest for the product has come from the financial services sector in order to secure and verify identities and transactions.
PhoneFactor doesn’t require a user to install any software or even have a smart phone, Dispenza says. The system can work in a couple of different ways. For verification, after a user enters a user name and password to login to a site the system will call that individual’s phone and require a PIN before access is granted.
The system can also be used to verify transactions. If transferring money between accounts the system will call and request a PIN before the funds are moved. “Even if someone steals your user name and password they won’t have your phone,” Dispenza says.
Anakam offers a similar solution that takes advantage of the text capabilities of mobile phones, says Dr. Bill Braithwaite, chief medical officer at Anakam. The company’s basic service sends a text message with a passcode to the user’s mobile phone after they enter a user name and password on a site.
But users wanted options beyond the text message, Braithwaite says. Anakam responded with a product that calls the phone and reads a passcode to the user and another option that requires voice biometric authentication before the passcode is provided.
Some one-time passcode systems have been vulnerable to man-in-the-middle attacks, says Jim Zok, director of identity services at CSC. There is an array of these attacks but they all have the same basic premise–a hacker eavesdrops on an individual’s Web activity and changes information or forges a Web site to gain access.
PKI on the phone
Security experts say that these attacks can be thwarted using PKI. There’s some debate in the identity industry whether or not PKI is capable on existing mobile devices while others say it’s already being done.
Jean Louis Carrara, vice president of business development for the North American Telecommunications Business Unit at Gemalto, says that PKI is already being done on the mobile device in Turkey. “We have seen PKI in some countries for signing transactions,” he says. “The transactions are signed by the SIM.”
SIM cards are smart card chips that are used by mobile carriers to secure handsets and authenticate to mobile networks. To keep costs low, SIM chips often do not include the high-end cryptographic capabilities that would be necessary to perform PKI functions.
But Gemalto is seeing interest in use of the SIM card to digitally sign transactions, Carrara says. The application in Turkey is used by the government’s customs office to allow Turkish citizens to sign their customs declaration with their phone.
The PKI application is on the SIM card and is similar to a one-time passcode, Carrara says. Turkish banks are also considering the app as another authentication level for transactions.
“The beauty of the cell phone is you can have applications in the SIM that are designed to be used for the authentication of the user,” Carrara says.
Mobile carriers want to start monetizing the SIM card, he adds. Companies and organizations could pay to place an application on the SIM or it is possible even a user would pay for a compelling function.
Gemalto is working on a project where a PKI application is stored on the SIM to secure access to online resources via a smart phone, Carrara explains, “(to) use the smart phone’s resources to authenticate to the laptop.”
Carrara admits that while the technology exists for PKI-based identification with the mobile phone, it isn’t widely deployed. “The future is now, it exists, it’s just not well distributed,” he says.
CSC’s Zok says he’s spoken with device manufacturers and expects to see smart phones with all the capabilities of smart cards in the first half of 2011.
Others say the technology for PKI authentication via the mobile devices isn’t ready yet. “The majority of SIM cards don’t have the capability,” says Goode. “You need to have cryptographic capability on the smart card.”
PKI may not be the answer for identification with the mobile device, Goode says. “The issue with PKI in general is it’s costly and difficult to manage,” he adds.
SIM cards also have limited memory and processing capabilities and it will be tough for the carriers to give up that space, Goode says. He believes the better alternative for mobile-based authentication is to use a microSD card because the carrier isn’t involved in its issuance. However, using a microSD leads to the same problem as issuing tokens or smart cards as they require issuance and management functions.
NFC an option?
2011 is shaping up to be a big year for NFC, and it’s possible that the technology could be used in identity applications, says Goode. Though largely touted as a tool to replace payment that use contactless systems, there’s no reason NFC handsets couldn’t be used where a converged credential infrastructure is in place.
The credential could be provisioned over the air and enrollment would have to be done just once, Goode says. The chicken-and-egg challenge is that few laptops and PCs are equipped with contactless readers today. Proliferation of NFC handsets, however, could change that situation.
Until enabled computers are readily available, the NFC device could be used for physical access to facilities while the phone could be used for logical access via another connection, possibly WiFi or Bluetooth, says Gemalto’s Carrara.
But, Carrara says, payments will be the first NFC application and identity will come later. “Payments is something we do everyday,” he adds. “Showing a driver license is something we do less so it will take longer to integrate.” He predicts that within two to four years use of the handset for payments and identity will be common.
2011 will be a transition time for mobile phones and what consumers do with them, says Goode. “The mobile is here to stay,” Goode says. “For identity and authentication we’re in that transition period, replacing what we do with smart cards and tokens … there will be some major changes in how we do authentication in the future.”
New technologies improve security for mobile devices
Using the mobile device as an identity token may seem like a no brainer, but there are some concerns about how the device itself is secured.
PINs and pattern-based systems are common on many devices but they are typically optional. If the device is going to be used for more high-security applications additional access control measures need to be put in place.
When one-time passcode generators are deployed for use on smart phones, an additional PIN is often required to gain access to the application, says Alan Goode, director at the UK-based consultancy Goode Intelligence. But this depends on the particular deployment.
There are a number of options for securing the mobile device, Goode says, including biometrics. Virtually all mobile phones come equipped with a camera that could be used for facial or iris recognition.
Some handset manufacturers are also equipping mobile phones with fingerprint swipe sensors for access to the device and specific applications, Goode says. “It’s working for the military and law enforcement but whether it’ll work for the enterprise will depend on how fallible the technology is,” he says.
Other technologies could be used to secure the mobile, Goode says. Location-based technology using the GPS in smart phones could be used to detect fraudulent activity. If, for example, someone is trying to login to an individual’s account from a PC in New York while the individual’s smart phone is in Chicago, the system could flag the session for likely fraud and deny the transaction.
“We’ll see more technology change and adapt for the unique characteristics of the mobile phone,” Goode says.
Challenges with the mobile as an ID
While some see the mobile phone as the next generation credential, others have concerns about using the device for identification. With different standards for approving smart phone applications it is unclear whether some may be vulnerable to attacks. Critics say progress needs to be made to secure the apps and platforms before the devices are used to enable additional secure transactions.
Since companies don’t always supply mobile devices to employees, it’s hard to control them, unlike a company-issued laptop. “Smart phones are disruptive to IT environments,” says Sam Curry, CTO, global marketing at RSA. “How do you secure it? And how do you use it for security?”
Part of the problem is the rate of innovation. With new software and new technology constantly released, it’s hard for organizations to keep up, Curry says. RSA has one-time passcode generators for smart phones and has a text message program that supplies the codes as well, but otherwise the company isn’t focusing on use of the mobile as an identity credential.
RSA has certificate authorities but Curry says nobody has approached them about using digital certificates on the mobile device. “People have talked about putting the pieces together but I don’t know if there’s any commercially-viable offerings out there,” he says.
Digital certificates have a high level of trust and are difficult to hack. But, they are expensive, Curry says.
Instead of focusing on using the mobile as a credential RSA is looking at how to secure the end user environment, Curry says. “We’re working on the premise that the device itself is compromised,” he says. “How do you give a person a more secure environment? Also how do you monitor the user’s behavior so you can tell when someone is doing something unusual?”
Curry says the notion of an online credential is interesting but there’s a lot that needs to happen to make it a reality. “It’s the double critical mass problem,” he says. “Everyone would like to have a cheap, easy to use credential but what’s needed behind the scenes is a critical mass of people who have that credential and a critical mass of those to accept the credential.”
Smartphones half of handsets shipped by 2012
With a plethora of apps, their large screens, built-in cameras and plenty of processing power–more than 50% of U.S. handset shipments will be smartphones by 2012, according to research firm In-Stat. Globally, shipments are projected to reach 850 million units by 2015.
By December 2010, U.S. smartphone adoption had surged to 27% penetration, according to comScore. There was rapid adoption of Google Android devices, making Google the second largest operating system by the end of the year.
RIM still held its top spot with 31.6% market share, although this was a drop from the previous year. Nearly a photo finish, Google came in at 28.7%, followed by Apple’s flat 25%, and Microsoft with 8.4%.
When looking exclusively at the smartphone market, AT&T held a solid lead with 38.3% market share, compared to Verizon’s 26.7%. However, comScore added that AT&T saw its smartphone share decline 6% points since December 2009 while Verizon climbed 3.5% points during the period.