IBM unveils two-factor authentication for NFC payments
25 October, 2013
category: Contactless, NFC
Tech goliath IBM has developed a two-factor mobile authentication technology that, with the help of NFC, could help make payments made from smart phones more secure.
IBM’s new software app provides an added layer of security when using an NFC-enabled device in conjunction with a contactless smart card for mobile transactions – a common formula in online banking.
Scientists at IBM are applying the same principles of two-factor authentication that have been used before, leveraging a personal identification number (PIN) and a contactless smart card to, among other things, conduct payments. The contactless smart card can be a bank-issued ATM card or an employer-issued identity badge.
The use the new two-factor system, users simply hold their contactless smart card to the NFC reader housed within their mobile device and after entering their PIN, a one-time code is generated by the card and then sent to the server by the mobile device.
IBM’s technology is based on end-to-end encryption between the smart card and the server, and aligns with the National Institute of Standards & Technology’s (NIST) AES (Advanced Encryption Standard) scheme. Similar solutions currently on the market require users to carry an additional device, for example a random password generator, which in addition to being less convenient, can in some instances be less secure as well.
IBM’s two-factor technology is available right now for any NFC-enabled Android 4.0 device, and is based on IBM Worklight – a mobile app platform that is part of the IBM MobileFirst portfolio. IBM expects to update the system over time to include additional NFC-enabled devices as they come to market.
The app is opened when users access remote services, an e-banking portal for example. The app will then prompt the user to log in, enter their card PIN and then touch the card to the phone for authentication. The PIN is then sent, in encrypted form, to the card where a “challenge response round” is performed.
The card-generated response is then sent to the server to validate the user and verify they are in fact in possession of their bank card. Once submitted, the user is asked again to touch the card to the phone to authenticate the transaction, and upon approval the user is given confirmation of the transaction.
