Work Completed By: Andy McGarry
Depending on the level/strength of authentication required we may determine that multiple factors of authentication are required.
If a physical factor is required in the case of citizen access our current practice of issuing electronic tokens as a physical factor will not be viable.
This project is concerned with investigating how we could make use of citizen’s own mobile devices as authentication factors, how widespread this practice is and the sort of information it is being used to safeguard.
DETAILS/LOCATION OF PRACTICAL DEMONSTRABLE OUTPUT
Details of where code, web pages etc can be found.
This report can also be found at
H:\ISS\Strategy\StrategyArchitecture&Planning\R&D\Investigate Using Citizen Devices as an Authentication Factor.docx
DESCRIPTION OF THE WORK CARRIED OUT
Describe how you approached this piece of work, any technologies, tools or techniques that you found useful or tried and discarded. Include any examples that you used for inspiration and any contacts you have made in carrying out the work.
I researched a mix of recent Research Papers, White Papers, Case Studies, Think Tank Papers (Gartner), News Reports, Open Source Projects and available purchasable devices and authentication solutions.
What are citizen devices?
This of course brings on a long list however it rapidly narrows down to just a few device types:
• Traditional (GMS, GPRS) mobile phone having Voice and SMS.
• Smart Phones (3G, Wi-Fi) having Voice, SMS, email, having ability to easily run applications (Java etc). Examples Blackberry, iPhone, Windows Mobile 6. Often now with touch screens.
• Smart Internet Devices (Wi-Fi) having ability to easily run applications (Java etc). Example iPodTouch and other MP3 players, Archos Media tablets, Netbooks. Often now with touch screens.
• Near Field Communications Technology (RFID) Barclaycard Credit Cards. New Nokia-Barclaycard mobile phones, O2 wallets, Oyster Card, the new Biometric British Passport, UK Identity card etc.
All of these offer great potential for use in authentication in some way.
What mechanisms could be used?
A regular phone call, SMS message, email, client-server application, web based application, a certificate stored on the device or identifying the SIM card?
The important thing is a simple, secure and reliable method of registering the device. Picking an attribute which is unique but not easy to imitate or copy (e.g. can the Windows Mobile unique ID be duplicated?).
One solution is to run a client application which mimics a two-factor token (e.g. RSA keyfob). The token would be registered (serialised) How ever a cost implication is inevitable per device.
Simply using any application capable device for access (not using it for authentication in its own right) but to offer access convenience to the citizen who just uses an application (local or webbased) to authenticate.
Ericsson has proposed using the actual SIM card in phones as part of the authentication mechanism. “The Internet ID concept demonstrates how the security of mobile phones (GSM authentication based on the Subscriber Identity Module (SIM)) can be re-used to improve the security of authentication. Ericssons approach is to use the Liberty Alliance protocols, as they allow IDPs to choose between different authentication methods. The flexibility of this approach enables users to utilize SIM security not only for mobile Internet services but also for services accessed via a PC. The authentication credentials can be exchanged over the cellular network or over the fixed Internet and Bluetooth.”
Signed certificates can be distributed and stored on mobile devices (e.g. smart phone). This is complicated and expensive to deploy and manage.
Using SMS to request, send out OTPs (one time passwords) is now a mature technology and many products exist. In addition because SMS is so well understood and SMS gateways are cheap to use many free / open source solutions also exist.
Self-built System using an SMS Internet Gateway (e.g. Gnokii)
The simple explanation for the average user goes a little like this. You use your normal password followed by a 6 digit number. To get access to a system you need to send an SMS from your pre-registered mobile phone number with a PIN. The systems admin folk will assign you a 4 digit pin and give you the mobile number to send your login request to. So, when you want to login, just send a text (SMS) to the phone number provided, with your 4 digit PIN. Shortly after you will receive a 6 digit number in a text (SMS) to your phone. Then login as normal using you normal password followed by the 6 digit number. You can use this same 6 digit number as many times as you like within a time period set by the systems admin folk. Simple right? Ok then, perhaps not much more complex than a token?
Mobile-OTP SMS is a free "strong authentication" solution for java capable mobile devices like phones or PDAs. The solution is based on time synchronous one time passwords. It consists of a client component (a J2ME MIDlet) and a server component (a unix shell script). The server component can easily be plugged into free RADIUS servers like XTRadius to authenticate users at routers, firewalls, web servers, access points, unix machines, etc. The shell script should run without modification on any BSD-Unix or Linux. The java MIDlet should be compatible to any java enabled mobile phone (Nokia, Siemens, Motorola, Sony, BlackBerry, etc.). The MIDlet, server-script and RADIUS server are freely available under the terms of GPL.
Proprietary SMS Solutions
Many examples of products you can purchase are listed in Appendix A. However WCC already has the capability to deploy SMS OTP authentication as part of the Sonicwall Aventail SSL appliance used for remote access. Other examples have trial software ready to download and use or can be demonstrated by request. All of these require licences.
How widespread is this practice?
This has been the single most difficult question to answer as no real data / statistics exist.
However one major message about using mobile phones as authentication devices is to save money over traditional and expensive hardware tokens.
One vendor (Secure Envoy) lists the following public authorities as customers (21 customers with case studies):
Hertfordshire County Council, Royal Borough of Kensington and Chelsea, Milton Keynes Hospital, Royal Devon & Exeter NHS, Devon County Council, Southampton University Hospital NHS Trust, Harwich Haven Authority. They also list the charity Save the Children.
An example of a very big customer using devices for public access is ASB. A link to “ASB Two-Factor Authentication with Cell Phones” can be found in Appendix A. ASB and Bank Direct's Internet banking customers will have to use their mobile phone when they access their account on-line and require to transfer more than $2500 into another account. ASB technology and operations group general manager Clayton Wakefield announced the banks would be the first in New Zealand to implement a "two factor authentication" system to shut out online fraudsters.
What is being protected?
Most applications exist to prevent fraud and so banks have been using this technology the longest (e.g. ASB New Zealand) for personal and financial information. This facilitates on-line banking.
The secondary consideration is to protect the confidentiality and privacy of customers (personal information). As more information is collected and stored the active role of citizens in its management and access will increase. They will want to store information themselves and be able to amend it.
Points of consideration
Authentication is one thing but security of the credentials at rest or in transit is extremely important. SMS messages and emails alike are sent using store and forward computer systems where they lie unencrypted etc. This is low risk for OTP but would be entirely appropriate for citizen access.
If the connection is made by an application across the Internet is it secured with a VPN? Despite the fact these devices are now powerful enough to support encryption rarely is it implemented (e.g. hand held credit card terminals in restaurants).
SMS has advantages of allowing for out of coverage (Out of Band OOB) usage by stacking up multiple One Time Passwords ready for use.
SMS OTP will cost about 3.8p per message.
Other advantages of using SMS include wide spread availability of SMS phones, use from Internet or device, rapid scalability (down or up).
Device Platforms (Operating Systems)
To quickly cover most of the major device technologies including possible future contenders the following list shows their availability of OTP client token software.
Android (Various sites and vendors)
• ConnectBot SSH Client1.0 app: (www.androidgear.com)
• Article on OAuth on Android: http://donpark.org/blog/2009/01/24/android-client-side-oauth
Blackberry (Blackberry World via handset)
• WiKID Software Token: http://www.wikidsystems.com/downloads/token-clients
• RSA Token: http://www.rsa.com/node.aspx?id=1165
iPhone (AppStore requires iTunes)
• RSA SecureID Software Token app: http://www.iphonebuzz.com/rsa-launches-security-toke-app-for-iphone-247948.php
• Verisign: http://www.tgdaily.com/content/view/41919/108/
• Emue Software Token app: www.emue.com
Windows Mobile 6 (Various sites and vendors)
• WiKID Software Token: http://www.wikidsystems.com/downloads/token-clients
• RSA SecurID Software Token: http://www.rsa.com/node.aspx?id=2571
• Active Identity: http://www.actividentity.com/products/tokens_soft__home.php
Describe the degree to which the work was successful in addressing the project description. Include reasons why or why not.
Mostly very successful because of the amount and quality of information available from companies, news sites, universities, open source communities etc. However one area that was not successful at all was "current usage". It is fair to say that corporate usage of say SMS OTP is widespread but the use in the public space of Citizen Devices is very hard to determine. Banks are by far the leaders in using Citizen Devices at this present time.
Based on the research paper: The Mobile Phone as Authentication Token by Jorstad and Thanh (link in Appendix A) there are four main aspects; security, cost, infrastructure (complexity) and user-friendliness. It maps these against 8 different authentication methods to give a useful comparison. SIM strong authentication with SMS comes out very favourably scoring very high for security.
However specifically for mass citizen access SMS OTP without utilising the SIM card would be adequate.
SHORT TERM BENEFITS
What immediate impact could the output of this R&D work have on the organisation – could it provide benefits without compromising our strategic approach?
The maturity of SMS OTP solutions is very clear in both sophistication and availability of solutions, support in devices and widespread availability of cheap SMS gateways. This gives WCC the opportunity to:
- Start replacing expensive (and short life) Two Factor Hardware Tokens (RSA SecureID) with a SMS OTP solution.
- Scale up the availability of remote access.
- Offer more prompt service to new remote access users.
- Offer the public a sustainable but secure access to web facing data.
- Can be used along side existing Two Factor solution to retain current investment.
Next Steps / Recommendations
Try out SMS OTP access on Aventail lab / test box or the 30 day trial copy of Secure Envoy or WiKID. Another area to explore would be to implement a home brew demo using free downloaded PHP software and a cheap SMS gateway. A demo website could be constructed to show the full experience. WiKID even offer pre-build VMware images, RPMs, ISOs etc to speed up the test phase.
How the work carried out fits with our strategic direction or how it should contribute to our strategic thinking.
- SMS OTP strengthens remote access capability by offering greater flexibility, cost savings and scalability. This extends the remote access solution to allow practical responses to disasters and emergencies (e.g. Swine Flu).
- SMS OTP solutions are available on all major device platforms including Microsoft.
- Enables the public secure access to WCC web facing systems.
- Allows much more sensitive information to be stored and accessed enabling new functionality previously not sensible.
- Requires WCC websites to natively support the authentication method (extensive software changes).
- SMS OTP a green solution to hardware tokens.
What is the future here? Voice recognition using the phone? Face recognition using its camera? Logging the location of the user at time of access with information provided by the devices’ in GPS? The devices will get more powerful, sophisticated, feature rich and more opportunities will emerge which could be used to identify the user and to offer appropriate services.
OTHER NOTES ETC
The most interesting idea about considering Citizen Devices is that starting with the mobile phone a continuous line of ever sophisticated and capable devices are emerging. The latest powerful devices such as Apples iPhone have extra built in hardware like Wi-Fi, GPS and Potentiometers allowing application developers to develop software that directly interacts with the users environment. The on board processing power and functionality will continue to expand allowing other simple but highly effective authentication mechanisms to arise and replace SMS OTP. These mechanisms could include finger print, face and voice recognition, location based level of access, hand writing recognition and inclusion of dedicated security chips.
Appendix A: References (Articles & Research)
Case Study: ASB Two-Factor Authentication with Cell Phones http://www.schneier.com/blog/archives/2004/11/twofactor_authe.html
Apple Devices & SDK
Signify Passcode OnDemand delivers tokenless two-factor authentication by turning any mobile phone or Blackberry into an authentication device. http://www.signify.net/services/services_pod.asp
Build your own SMS two factor authentication system
Open Source Mobile One Time Password Solution
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API authorization in a standard method for desktop, mobile and web applications.
O Auth, open protocol: http://en.wikipedia.org/wiki/OAuth
Internet Identity Workshop (Where OAuth, OpenID, XRD, Discovery etc are launched and brainstormed). Two events a year usually in March and December.
Information Card (Including Claims)
Barclycard “Contactless Payment Technology” (Built-in RFID PayPass or Oyster Card):
O2 Wallet trial reveals 78% want to use contactless services on their mobile phone
Home Office Identity and Passport Service (UK Identity cards and Biometric Passports):
SMS Gateway Providers
SMS OTP Software Providers
Fireid (SMS One Time Passwords using Mobile Phone based client)
Swivelsecure (Just SMS, no client to deploy though one can be used)
Aventail (Built in the SSL appliances)
Solutions Depot Blog
Research Paper: The Mobile Phone as Authentication Token
Research Paper: Using mobile phones as generators of OTP
Appendix B: Gartner
Hype Cycle Phone-Based Authentication Methods (By: Ant Allan)
This useful article covers various methods of phone based authentication. The full article is available direct from Gartner. In summary:
It covers the most popular authentication methods using OOB OTP and other alternatives. OTP can be either sent to the phone, then the user enters it on the PC (inbound ticket), or the OTP is sent to the PC, and the user submits it via a server-initiated call (outbound ticket). Alternatives include the response-only method where a voice call to the users registered number is responded to be pressing a pre-agreed button on the phone.
Less popular methods use a smart phone running an application which generates the OTP. A variant of this uses the phones own SIM card for extra integrity.
Recently many banks have implemented OOB OTP by SMS or voice telephony such as National Australia Bank; ASB in New Zealand; Citibank in Singapore and Hong Kong; Deutsche Postbank in Germany; Postbank in the Netherlands; and Bank of America. Use is higher in Europe, the Middle East and Africa and the Asia/Pacific region than in North America. One notable example of adoption is the OCBC Bank in Singapore, which offers its customers a choice of OTP methods — and reports that the dedicated hardware token is a distant second choice, far behind OOB OTP by SMS.
Recommended Reading: "A Taxonomy of Authentication Methods: Quick-Reference Outline"
"Predicts 2008: Mobility and Outsourcing Are Changing Secure Business Enablement"
Appendix C: Glossary
3G: International Mobile Telecommunications-2000 (IMT-2000) http://en.wikipedia.org/wiki/3g
GPL: GNU Public License http://en.wikipedia.org/wiki/Gpl
GMS: Global system for mobile communications http://en.wikipedia.org/wiki/GSM
GPRS: General Radio Packet Service http://en.wikipedia.org/wiki/General_Packet_Radio_Service
MAC: Media Access Control Address http://en.wikipedia.org/wiki/MAC_address
OOB: Out of Band http://en.wikipedia.org/wiki/Out_of_band
OTP: One time password http://en.wikipedia.org/wiki/One-time_password
RFID: Radio-frequency Identity http://en.wikipedia.org/wiki/Rfid
SIM Card: Subscriber Identity Module Card http://en.wikipedia.org/wiki/Sim_card
SMS: Short Message Service http://en.wikipedia.org/wiki/SMS