On August 17th I was a guest at the Dutch BNR news radio station, as part of the weekly BNR Digital broadcast. I was there as expert on biometric authentication. I responded to the questions on the opportunities for biometric authentication in mostly positive manner. I argued that biometric authentication can be a user-friendly second authentication factor. But I also voiced some concerns: not all implementations as done well, liveness detection (presentation attack detection) is and will remain a (if not the) challenge and privacy can be a serious issue.
DigiD is the Dutch national digital identity solution for citizens to use e-government services (and online health and pension-related services). It is quite popular actually, in 2015 there where 12 million citizens that had a DigiD, on a population of a bit of 17 millions. Also the amount of logins had increased significant over the year, with over 200 millions logins in 2015. InnoValor did a project in 2015 to make a proof-of-concept app for DigiD that can 1) serve as replacement of SMS as second-factor, 2) can be used with government mobile app and 3) is more secure than current DigiD because it can use the contactless chips in e-passports etc as second factor. We did this project for and with DUO (government organisation responsible for student enrolment, student finance etc), in collaboration with RDW (government organisation responsible for driving licenses, vehicle registration etc) and Logius (government organisation responsible for DigiD).
The below blogpost is written jointly with Jan Kouijzer from DUO and gives details. It is in Dutch and includes links to videos with a demo. It appeared earlier (7 December 2015) on https://innovalor.nl/digi2-een-proof-of-concept-app-voor-digid/.
FIDO stands for Fast Identity Online. FIDO is a new authentication specification that makes it easier to integrate with and re-use non-password authentication means: what-you-have and what-you-are. The specification was published in a v1.0 version last December by the FIDO Alliance, which unites an impressive list of large companies (e.g., Microsoft, Google, Samsung) and smaller authentication companies (e.g., Authasas, Yubico, Nok Nok Labs) to “define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services”.
Last Friday (23 January 2015) PIMN organized a seminar on FIDO, which was fully booked with a waiting list even. In this blogpost I’ll summarize what I learned and what I presented on “FIDO and its place in the identity ecosystem”.
Blogpost by Maarten Wegdam and Martijn Oostdijk
We believe that there is a bright future for the combination of smartphone and digital identity, which we refer to as mobile-centric identity. The question is, of course, how and when, and probably also who (which organisations) will benefit from this. To contribute to making mobile-centric identity happen, we are experimenting with how we can use a smartphone to get access to our ‘offline identity’, i.e., our passport / ID card. More specifically, we developed an Android app, called NFC Passport reader, that uses NFC to read the chip embedded in a passport / ID Card (aka ePassport). This app is now available from Google Play.
What did we do?
We recently did an assessment of a so-called SIM augmented authentication token, or VASCO’s new DigiPass Nano product to be more specific. We did this for SURFnet, for which we previously also did an assessment of Mobile PKI. We liked Mobile PKI, but it has a big disadvantage: you depend on your mobile network operator to be able to use it (and in the Netherlands they are not deploying this any time soon). This disadvantage is the main motivation to look at SIM augmented tokens. These are, as the term suggests, added to in stead on being ‘inside’ the SIM card.
So what is a SIM augmented authentication token? Physically it is a sticker with an embedded chip that you stick on your SIM card and sits between the SIM card and the mobile phone. The chip stores a secret used for authentication, which is more secure than storing the secret in a ‘normal’ mobile app. This secret is used by an authentication application that is also runs from this chip. This application, from the perspective of the mobile phone, appears to be a normal SIM application, and can work on basically any phone (smart of dumb). The only SIM augmented authentication token that I’m aware of is the above mentioned DigiPass Nano from VASCO (let me know if you know of others?). The DigiPass Nano implements an event-based one-time-password functionality, i.e., it generated a new code every time the user asks for it.
We did an assessment of the usability, security and business model aspects. Below I copied the conclusions, but the bottom-line is that we believe from a security perspective this is a good alternative to other one-time-password solutions, and it more secure than solutions implemented as a mobile app. The main benefit is that it works on basically any phone (also non-smartphones), and you you can deploy it without needing help (and investments) from your mobile operator. The main disadvantage is the user experience. We did some limited testing with putting the sticker on, which was ok, but the user experience of getting a one-time-password can be troublesome. It requires the user to find SIM applications on their mobile phone, which are often hidden somewhere deep in the menu’s. My estimate is that this usability limitation will need to be addressed for this technology to get acceptance beyond specific enterprise use-cases. Or to put it differently, I’d do very carefull usability optimizations/testing before deploying this to millions of consumers.
This assessment was joint work with my colleague Martijn Oostdijk, see his blog for more details on especially the security aspect. The full report of our assessment is available via the SURFnet website. If you’re looking for a wider perspective on the combination of mobile and digital identity, see this previous blog post on our mobile-centric identity vision.
The Digipass Nano uses a form factor that is relatively unique in the authentication token market. It is a SIM augmented token, a thin patch/sticker including an embedded chip that sits between the SIM and the user’s mobile phone. The key advantages of this form factor are:
- secure storage of credentials under a “security domain” that is distinct from the other stake holders (e.g. mobile operators, handset vendors),
- while at the same time the ability to use the user-interface of the user’s existing GSM handset,
- and, potentially, the use of the mobile phone’s GSM or 3G network.
As most users will always carry their mobile phone with them, this means that the token will be present during transactions in many different contexts.
The technology underlying SIM augmentation is based on standards that have existed for a long time, are present in billions of GSM handsets around the world, and have proven to be relatively secure given the threat landscape thus far. The DP Nano does not use all features offered by this technology (it only uses the user interface features, not, e.g., the network features present in GSM 11.14). However, a number of variations of the DP Nano exist (see , apparently targeting different markets) which do utilise the networking capabilities of the GSM SIM, and which appear to more strongly bind the token to either handset (“IMEI lock”) or SIM (“IMSI lock”).
On paper, from a technological and security perspective, SIM augmented tokens compare well to other mobile and possession based tokens such as SMS OTP, OTP tokens, mobile soft tokens, and smart cards. As to the security, threats from malware on the handset are minimal as long as the SIM toolkit API interface is properly implemented on the handset.
The user experience may cause some problems for certain groups of users, depending on the issuance and installation process (e.g. whether users are required to install the token themselves). The DP Nano requires the user to navigate through unfamiliar text based menus in order to start up the application when asked by the SP to provide an OTP. This is the most prominent drawback when compared to e.g. the Mobile PKI experience (as described in ) where the authentication application on the handset it triggered over the air.
From a business model perspective SIM augmented tokens are interesting as they separate the role of SIM based authentication provider from the role of MNO. Obviously, being the first of its kind and relying on a server side licensing model and proprietary implementation, whether a choice for the DP Nano provides a positive business case when compared to MNO provided SIM based authentication remains to be seen.
Interesting features to add could be:
- Lock the token to IMSI or IMEI (possible, according to )
- Use the network to initiate authentication transactions (drawback: implies sending service SMS messages to the token, which may mean cooperation of a MNO or at least per-transaction costs)
- Use the network as an OOB channel during an authentication session (e.g. to display transaction details, similar drawback as above)
- Use the network to “blacklist” a token when a token is reported stolen
- Combine SIM augmented solution with a handset resident application to provide a better user experience (may be dependent on operating system and handset to provide installed apps with an API for communication with SIM)
The latter option is particularly attractive as a way to enhance the security of SURFnet’s tiqr solution (see ) and other mobile app solutions.
Since a one-size-fits-all solution to authentication does not exist, in the end SIM augmented solutions will likely find a market alongside authentication tokens with different form factors.
Below a contribution I wrote for the IDentity.Next newsletter (I’m on the expert panel) on mobile-centric identity, see also http://www.identitynext.nl/news.php?id=22.
Mobile phone – the remote control of our (digital) identity?
For most people the mobile (smart) phone is the most personal device they have. You carry it with you almost always, you rarely let others use it and you notice it is gone very quickly. Combine this with the smart phone becoming a mature and popular channel to online services, and you realize the importance of your mobile phone for your digital identity. The term user centric identity was (or still is) quite popular the last few years, going further I’m a strong believer in mobile centric identity: the mobile phone as the central component to control your digital identity.
I distinguish three ways in which this is happening:
1. The mobile phone as authentication device– this is already happening and is progressing, especially one-time-passwords over SMS are pretty common. But also apps for Android or iPhone with one-time-password generators, or Mobile PKI which exploits the SIM card for more security.
2. Authentication for the mobile channel– this is still a struggle, even more than identity on the ‘fixed’ internet. Typing passwords is a huge hassle on mobile phones, and providing these to random and barely trusted mobile apps is not a good idea (for example a third party mobile banking app). Common stronger authentication means like smartcards-with-readers or one-time-password tokens are not really an option since no one wants to carry additional devices with them. Also identity federation standards like SAML WebSSO and OpenID are not really suitable for mobile phones. We’ve been using oAuth for mobile Apps, which may not be the final solution but is a step into the right direction if ‘medium’ security is good enough.
3. Control your privacy on your mobile phone – I, and many with me, believe that sharing personal data can make our lives easier, but that the user should be in control of this. A single point of control for this is the way to go, for example determine in a central place who should get access to my new home address, and my location updates. This starts at basic consent functionality when using external identities (e.g., OpenID), but goes all the way to Personal Data Ecosystem, Vendor Relationship Management and User Managed Access ambitions. The mobile could be the trusted device to control this. This is far from reality nowadays.
A major risk for the success and speed in which mobile centric identity will come to be is if we are successful in keeping the mobile phone secure enough for this. This has not been a major issue yet, but for sure requires attention (for example, ENISA report or KuppingerCole Top Trends 2011). Solutions that are part of the operating system and/or exploit trusted hardware like the SIM card may prove most successful.
Related to identity is always payment, and although slower than expected the signs are good that NFC technology (for mobile payments) will get a significant penetration to mobile phones the coming years. Also, at least in the Netherlands, banks and mobile operators have joint forces to make mobile payment possible. Your mobile phone may very well replace both the coins and the bank/smartcards that are now in your wallet. It will be interesting to see how, how fast and who will profit from this!
Maarten Wegdam (principal researcher at Novay – member of IDentity.Next expert panel)