Two factor authentication goes mobile on phones, PDAs, laptops, and more
08 May, 2006
category: Library
By Marisa Torrieri, Contributing Editor, AVISIAN Publications
At least this year, many U.S. consumers aren’t ready for one-time-password (OTP) generators or smart cards. So like the medicine maker that tricks kids into getting better by concocting fruit-flavored, cartoon character remedies, a number of digital security vendors are tucking authentication into the devices Americans know and love – Blackberries and mobile phones.
At February’s RSA Conference in San Jose, Calif., soft tokens for mobile commerce and secure authentication were key topics. The conference came within months of the FFIEC guidance that prompted banks to examine the strength of their security systems. The new technology – partnerships between digital security OEMS, soft-token makers, service providers and device manufacturers – will amount to new applications to help consumers bank over their mobile phones in a more secure and convenient environment.
Why are U.S. consumers ready for this stuff now, when mobile data is just taking off?
“One reason is compliance – [some] banks cannot afford to distribute hardware tokens to each one of their customers, so FFIEC guidance has made them look for creative ways to [amplify] security,” says Kerry Loftus, director of consumer authentication services for VeriSign, a digital security OEM interested in building a network of shared authentication applications that use a single, open standard. VeriSign is a member of OATH (Initiative for Open Authentication), a multi-company organization focused on developing an open standard for strong authentication, also represented at the RSA Security Conference.
The second reason, says Ms. Loftus, is that security risks have become very public, and consumers are truly more concerned about secure transactions.
The Mountain View, Calif.-based company announced new partnerships at the RSA Securities conference that will make everyday mobile data transactions more secure, as part of its new ‘VeriSign Identity Protection’ (VIP) initiative. VeriSign will pair with handset manufacturer Motorola and USB-drive maker SanDisk to turn mobile devices or flash drives, already in the hands of consumers, into authentication devices. For example, Motorola will embed the OATH-compliant OTP into their Java-enabled handsets. This will, in effect, turn that phone into an OTP mechanism. The upside is that enterprises (e.g., banks, online merchants) don’t have to pay to deploy a token – that token is now taking the form of a mobile phone.
“Consumers who are used to carrying those devices can get that security credential,” Ms. Loftus says.
SanDisk will support VIP by manufacturing and distributing OATH-compliant USB mass-storage and trusted flash devices, VeriSign says.
Pay for your eBay auctions with your mobile phone …
E-commerce giants PayPal, Yahoo! and eBay are also partners in VeriSign’s VIP initiative. Their partnership will help create secure, trusted connections between consumer and those sites using any number of the devices in the VeriSign Unified Authentication and VIP families, says a VeriSign spokesman. VIP will enable a single credential to be shared across these sites, or any subsequently joining VIP network members, including banks, says a VeriSign spokesman.
“Any device manufacturers who adhere to the [OATH] standard can use it to add strong-authentication security to their digital commerce transactions,” Ms. Loftus says.
Other companies envision security through consumer electronics as well
Meanwhile, Diversinet, another OATH member and VeriSign partner, which makes security applications and physical soft tokens for mobile devices, announced similar plans to bank on U.S. consumers’ affinity for mobile devices.
On Feb. 7, Toronto-based Diversinet officially released its “Next-Generation MobiSecure Soft Token” and accompanying MobiSecure Authentication Service Center. The MobiSecure token is a soft token that can be embedded into mobile phones, PDAs or laptops. It acts like a one-time-password generator (OTP), except that it is embedded on devices users know, love and carry constantly. The Service Center allows for automatic, over-the-air registration, token upgrade and token removal, making the process of change less cumbersome for consumers.
On the tail end of the conference, Diversinet also announced an OEM partnership with RSA Security, which will use Diversinet’s over-the-air provisioning technology with its own Secure ID Product. Diversinet will also extend RSA Security’s SecurID soft token products for additional mobile device platforms, including Java, Symbian and Brew.
The technology works like a network enabling encrypted data to travel back and forth between devices and online entities, and is essential for secure mobile commerce, says Stu Vaeth, chief security officer at Diversinet. Over the air provisioning automatically detects and registers new device types, as each operating system has its unique properties, and system requirements.
“Internationally, people are more accustomed and more accepting to take the extra steps to use smart cards, hard tokens, things like that,” Mr. Vaeth says. “In the U.S., convenience is so fundamental, banks are so concerned with losing customers if they make them take extra steps.”
And as phones get more sophisticated, so it seems, the applications will follow, such as SMS financial messages, and voice-enabled one-time-password generators.
“We’re doing tons of interesting things around the phone,” concludes Ms. Loftus, “because that’s a key device.”
