What is MobileKey?
MobileKey (Mobile Authentication Server) is an innovative authentication solution that protects access to Web-based resources by providing a double-criterion user authentication through the use of existing mobile phones. MobileKey serves to overcome the security inadequacy of the Internet/Intranet, by allowing a user to authenticate himself using his personal mobile phone. The user has to be registered using a secure method (e.g. via Bank Teller) before he can use the system.
Designed to protect Web-based Internet and Intranet applications, MobileKey requires users to identify themselves with two unique criterion - something they know (a PIN or password), and something they receive only during authentication (a onetime access code delivered to their mobile phone) -- before they are granted access to a protected Web resource. With MobileKey, companies can positively identify users and deliver valuable services conveniently, and securely to users, without additional security hardware. End users can enjoy the benefits of a simple process that eliminates the need to remember multiple passwords or deal with cumbersome grid card.
Rationale for Mobile Authentication
As the Internet becomes a more important tool for financial transactions, the probability of an organization's transaction system security being compromised increases. Transactions today are secured using passwords. Institutions spend millions of dollars on secure SSL solutions to ensure passwords are not captured. But, in most cases, as we shall see in the next few real world cases, security breach occurs outside the reach of PKI and SSL solutions.
How the traditional password system can be compromised
1. Passwords can be captured while they are being entered into the browser. For instance, by 'trogan-horse' applications which your customers might have unknowingly installed, while installing shareware applications, while reading a malicious email, or while even visiting a dubious website. Some 'trojan-horse' applications like the infamous 'Back Orifice' can even control PCs, and allow hackers to view their screens the same way as a remote software application like PCanywhere!
2. Your customers may store their passwords carelessly on their PCs, which can be seen by anyone with access to the terminals, including their PC repairman, or if they are using a cybercafe machine, anyone who uses that terminal after them.
3. Your employees, the people whom your customers lay their trust on, can compromise your security.
Alternative Authentication Methods
We are not trying to say, 'do away with the password system, use security hardware authentication methods like smart cards, token key, etc'. It is definitely hardly feasible to implement or even to educate any consumer customer to use such devices even if cost itself is not a factor and disregarding that there is the risk of technology obsolesce. What we are advocating is for you to use extra authentication methods, using ubiquitous non-PCs personal appliances, such as mobile phones, and PDAs.
Today, the mobile phone and SMS is more commonly used then even the PC. It is therefore logical to build an extra authentication system using the cell phone.
You may ask, is it not too tedious to use a cell phone each time a user logs on? Phone authentication should be limited to only important transactions, like authorizing a fund transfer, and not for less risky activities such as checking on cash balance. Therefore, it will not be required for say logging on one's account. Risky activities should be protected by alternative authentication methods.
1. Double-criterion to Identify the User
The MobileKey technology provides a cost-effective way to protect web resources with a double-criterion authentication. Through a browser, a user requests access to a Web resource which requires additional authentication requested by the Web Application. MobileKey then generates a unique, one-time access code and sends it to the user's mobile phone, either as an SMS text message or as an e-mail. The user enters the access code into the browser to complete the authentication process. When a user submits authentication information, the MobileKey determines whether the information is valid and provides the final go-ahead to the Web Application. By separating Web Application with Authentication server, companies can also segregate responsibility to reduce the likelihood of internal fraud.
2. Protecting existing authentication system
MobileKey does not replace existing authentication system, but rather serves as an additional layer of security that protects and complements existing authentication system, whether software or hardware based. For example, it can work along with existing J2EE infrastructure, and make up for the vulnerability inherent in open code systems.
3. Protecting against Internal fraud
MobileKey provides for an independent encrypted database separated from existing corporate user database. This architecture secures access to users contact information (email, mobile number), and prevent unauthorized amendments to a database encrypted using the 128-bit Blowfish algorithm. A password secured administrator logon can only access user information by entering an additional key.
The entire MobileKey core authentication and messaging engine is in compiled binary form, which provides a greater level of protection against the risk of de-compilation and reverse engineering, than bytecode-based/Open Source Java, and Perl solutions. A security platform can never be secured if anyone with access to parts of the application, can view its security algorithm, modify code to reveal weaknesses or even create a backdoor.
4. Flexible Administration and Auditing
MobileKey provides both a browser and console management interface. Users not comfortable with browser based access can choose to disable that option. Two types of administrators may be defined -- a full access administrator or a help desk administrator. The full access administrator can manage users, resources and authentication policies. The help desk administrator performs a limited range of functions such as amending user name, re-entering user contact information (email/phone number). As an added security, help desk administrators cannot view contact information. They can change information only after providing the correct current records.
The MobileKey technology also provides a logging feature that captures and records system activity, including user authentication and administrative actions. The data may be used for auditing, and accounting purposes.