Security is one of the primary concerns for companies releasing mobile apps, whether for business or individuals. And convenience is often the antagonist to strong security, whereas it is a key factor of adoption for users.
Two-factor authentication is a well-known technique to increase the level of confidence that a company can get when a user authenticates toward a system.
With two-factor authentication the user must authenticate with something that he knows (such as a traditional username and password, or account ID and pin code), as well as something that he has (such as a display, smartcard, soft token or SMS one-time password).
Recently I’ve been working on a demonstration with researchers from IBM labs in Zurich (check out the press release here), showcasing how a mobile transaction could be secured using a near field communication (NFC) enabled smartcard as a second factor. Have a look at the video of the application to see it in action:
Basically, the high-level flow works like this:
- When needed, the user is prompted to present the NFC card. (In the demonstration this happens during login and to confirm a banking transaction.) Note that the first time the NFC card is involved, the PIN code of the card (what the user knows) must be given.
- A challenge that was previously generated by the server is then sent in an encrypted form by the mobile device to the card. NFC technology is used to provide a contactless experience.
- The card, whose chip contains both a program and a certificate key, signs the challenge and sends it back to the mobile device.
- The mobile device sends the signed challenge back to the server, which verifies that the signature is correct and matches the user ID or account associated with the card.
The following sequence diagram is a more detailed version of the interactions between the mobile device, the NFC smartcard, the IBM Worklight Server and the enterprise backend:
Here are some details about the implementation:
- The mobile banking app for this demonstration was a hybrid app made using IBM Worklight Studio. The original version contained only HTML5 code and could run on both Android and iOS.
- Thanks to Worklight optimization framework, the Android version has been modified such that the login screen was replaced by the NFC prompt, and a Cordova plug-in with a piece of Java code could invoke the Android NFC APIs to establish the dialog with the smartcard.
- The dialog between the mobile device and the smartcard uses a proprietary encrypted protocol to prevent anyone from being able to steal for example the PIN code of the card.
- The card itself uses an Advanced Encryption Standard (AES) encryption scheme to sign the challenge, together with a counter that prevents the same challenge from being signed twice the same manner. The counter is incremented both on the card itself and on the server side upon each verification, so that they remain synchronized.
- A so-called custom authentication module has been implemented on the Worklight Server side to be able to deal with this type of authentication.
Although some reports say that the number of NFC-enabled devices could exceed 500 million this year, this kind of technology might not be suitable in a business-to-consumer (B2C) scenario since currently Apple does not implement NFC in its devices. But in a business-to-employee (B2E) scenario the IT department can manage what types of mobile devices employees use and could therefore use the smartcard as an employee ID card: in this case the solution provides a more secure and convenient way to authenticate users than the traditional approaches.
Have you encountered two-factor authentication for any of your apps? Or have you developed any apps using NFC technology with Worklight? Please share your thoughts or send me a tweet @EtienneNoiret.