Nila-2-Factor Authentication for Mobile Applications-Introducing Doublesec.Pdf
2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec
TECHNOLOGY WHITEPAPER
DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0
1
Motivation
With the increasing desire also of private individuals to access their confidential data even from their mobile devices, the need for strong security controls for such application arises – in the same way as it has years ago in the area of web applications. This paper covers one of the most important parts thereof: the login process that allows an application on a mobile device accessing data from a server using two-factor authentication.
Introduction
An increasing number of internet-based end-customer applications require two-factor authentication. Text message (SMS) based one-time code distribution (as second factor) is rapidly becoming the most popular choice when strong authentication is needed, for example in e-banking. Low acquisition, distribution and help-desk cost are the main drivers for these socalled mTAN1 based authentication methods. All of these properties are particularly important for applications that serve large number of users, possibly on a global scale. With multi-factor authentication, each token available for authenticating the user falls into one of the following three categories: • • • Something the user knows (e.g. a password) Something the user has (e.g. a hardware token) Something the user is (e.g. a fingerprint)
mTAN-based strong authentication makes use of the two categories “something the user knows” (password) and “something the user has” (mobile device). During authentication, the user has to provide the password as well as a one-time secret received by SMS on his mobile phone. Proof of possession of the mobile phone (which is done by providing the received SMS code) is used as 2nd login factor. With increased capabilities of mobile devices, there’s been a trend towards accessing web services2 over the mobile channel3 as well. Much
TECHNOLOGY WHITEPAPER
DSWISS LTD INIT INSTITUTE OF APPLIED INFORMATION TECHNOLOGY JUNE 2010 V1.0
1
Motivation
With the increasing desire also of private individuals to access their confidential data even from their mobile devices, the need for strong security controls for such application arises – in the same way as it has years ago in the area of web applications. This paper covers one of the most important parts thereof: the login process that allows an application on a mobile device accessing data from a server using two-factor authentication.
Introduction
An increasing number of internet-based end-customer applications require two-factor authentication. Text message (SMS) based one-time code distribution (as second factor) is rapidly becoming the most popular choice when strong authentication is needed, for example in e-banking. Low acquisition, distribution and help-desk cost are the main drivers for these socalled mTAN1 based authentication methods. All of these properties are particularly important for applications that serve large number of users, possibly on a global scale. With multi-factor authentication, each token available for authenticating the user falls into one of the following three categories: • • • Something the user knows (e.g. a password) Something the user has (e.g. a hardware token) Something the user is (e.g. a fingerprint)
mTAN-based strong authentication makes use of the two categories “something the user knows” (password) and “something the user has” (mobile device). During authentication, the user has to provide the password as well as a one-time secret received by SMS on his mobile phone. Proof of possession of the mobile phone (which is done by providing the received SMS code) is used as 2nd login factor. With increased capabilities of mobile devices, there’s been a trend towards accessing web services2 over the mobile channel3 as well. Much