The approach of using cell phones securely for online banking is not new. This use has been talked about for a while, but still raises doubts. With the technical specifications of the FIDO Alliance, however, modern cell phones really do become the optimal security tool, because they make online registration for banking transactions convenient and legally compliant at the same time.
Banking via PC, tablet or cell phone is part of everyday life for the digital natives and digital immigrants of our time. Account inquiries, real-time transfers, bookings - all of this must be possible now and immediately and work on the sofa at home, at work or from the coffee shop during the lunch break. The young generation lives spontaneously, and they want to do their banking on the fly. This is not new.
How are usability and security combined?
The new Europe-wide data protection rules and the regulations of the credit and banking world itself demand that online banking must always take place under secure conditions. They oblige providers to create the conditions for low-risk banking transactions - including technical requirements such as two-factor authentication. Companies face the challenge of combining security and user-friendliness. Complicated passwords or the need to use additional hardware such as chip card readers and tokens spoil the desire for spontaneous transactions.
One way out of the gap between user-friendliness and security is the cell phone. Many models have long been equipped with the latest security technology: they have lock screens, fingerprint readers, tap or swipe pattern recognition, facial recognition, iris scanning and other hardware-supported authentication mechanisms. The reliability of these systems far beats password-only protection. This is especially true if you follow the latest statistics on IT users' password preference: Codes like "12345" and "password" still top the list.
Authentication in mobile banking
The technology built into phones can be used directly for secure banking; both Android and IoS devices of the newer generations offer the necessary direct access to the security functions of a cell phone for corresponding apps. The same technology also makes it possible to use the devices for corporate purposes, where high confidentiality requirements also apply.
The aforementioned specifications require two-factor or even three-factor authentication for important transactions. This means that the customer must identify himself with at least two, but if necessary also three, characteristics that only he knows (e.g., password or PIN), that only he possesses (in this case, the identifiable cell phone or an inserted smart card), or that represent a biometric characteristic of himself (e.g., fingerprint, iris or vein pattern, face). By means of fingerprint scanners or cameras and the possibility of exchanging encrypted push messages, not only this can be realized, but even further protection can be created for high-risk transactions.
Two further specifications are important: The authentication of a user should result in the generation of an "Authentication Code", which represents a cryptographic signature of the transaction. In the case of an online payment, this code must be uniquely tied to the amount and the recipient as specified by the user. In addition, the user's cryptographic data must be protected against unauthorized access.
FIDO - an alliance for global authentication standards
The criteria described can be completely fulfilled with technical measures that follow the standards of the "FIDO Alliance". FIDO stands for "Fast Identity Online." The non-commercial alliance was founded in 2013 to develop cross-company, open and license-free industry standards for global authentication on the Internet.
The FIDO standards describe a two-step authentication process. When the user starts a transaction, the website of his provider appears first, as usual. However, as soon as a transaction has to be approved, the user automatically identifies himself to his own device, using the biometric recognition integrated into the device - or, if necessary, an external device such as a card reader via Bluetooth. Password and fingerprint scan can be combined, for example. The user thus largely decides for himself which method he wants to use to secure his financial transactions and does not have to deal with the technology in the background. This factor increases the acceptance of security measures. For higher-risk transactions, the provider can require additional recognition steps.
Authentication and public-key cryptography
If authentication on the device is successful, proven public-key cryptography comes into play. The system releases a private key for communication with the service provider, which now securely authenticates the user to the remote peer. In addition, the technology handles the unique release of the transaction, which is mandatory for financial transactions, in cooperation with common authorization frameworks. The technology is prepared for the user to use it from the same device with multiple transaction partners, thus also meeting the opening and flexibilization of the market laid out in PSD2.
Since asymmetric encryption forms the basis, both the user's biometric data and the private key for transaction approval can always remain stored on the user's device and never have to be sent over public networks. This relieves the burden on providers, who do not have to securely store corresponding information en masse and seal it off from large-scale hacks, and protects all parties from attacks lurking to transfer sensitive data.
Conclusion: front door key for mobile security
Currently, numerous companies and services such as Google, PayPal, Bank of America, NTT Docomo, BC Card (Korea), Microsoft, Dropbox, GitHub, AliPay, Ebay, Samsung and Facebook already rely on the procedure developed by the FIDO Alliance. Manufacturers such as NEVIS Security AG offer appropriately tested and certified security solutions. Thus, the most widespread "toy" of mankind may also become its most widespread security aid next to the front door key.
Banking via PC, tablet or cell phone is part of everyday life for the digital natives and digital immigrants of our time. Account inquiries, real-time transfers, bookings - all of this must be possible now and immediately and work on the sofa at home, at work or from the coffee shop during the lunch break. The young generation lives spontaneously, and they want to do their banking on the fly. This is not new.
How are usability and security combined?
The new Europe-wide data protection rules and the regulations of the credit and banking world itself demand that online banking must always take place under secure conditions. They oblige providers to create the conditions for low-risk banking transactions - including technical requirements such as two-factor authentication. Companies face the challenge of combining security and user-friendliness. Complicated passwords or the need to use additional hardware such as chip card readers and tokens spoil the desire for spontaneous transactions.
One way out of the gap between user-friendliness and security is the cell phone. Many models have long been equipped with the latest security technology: they have lock screens, fingerprint readers, tap or swipe pattern recognition, facial recognition, iris scanning and other hardware-supported authentication mechanisms. The reliability of these systems far beats password-only protection. This is especially true if you follow the latest statistics on IT users' password preference: Codes like "12345" and "password" still top the list.
Authentication in mobile banking
The technology built into phones can be used directly for secure banking; both Android and IoS devices of the newer generations offer the necessary direct access to the security functions of a cell phone for corresponding apps. The same technology also makes it possible to use the devices for corporate purposes, where high confidentiality requirements also apply.
The aforementioned specifications require two-factor or even three-factor authentication for important transactions. This means that the customer must identify himself with at least two, but if necessary also three, characteristics that only he knows (e.g., password or PIN), that only he possesses (in this case, the identifiable cell phone or an inserted smart card), or that represent a biometric characteristic of himself (e.g., fingerprint, iris or vein pattern, face). By means of fingerprint scanners or cameras and the possibility of exchanging encrypted push messages, not only this can be realized, but even further protection can be created for high-risk transactions.
Two further specifications are important: The authentication of a user should result in the generation of an "Authentication Code", which represents a cryptographic signature of the transaction. In the case of an online payment, this code must be uniquely tied to the amount and the recipient as specified by the user. In addition, the user's cryptographic data must be protected against unauthorized access.
FIDO - an alliance for global authentication standards
The criteria described can be completely fulfilled with technical measures that follow the standards of the "FIDO Alliance". FIDO stands for "Fast Identity Online." The non-commercial alliance was founded in 2013 to develop cross-company, open and license-free industry standards for global authentication on the Internet.
The FIDO standards describe a two-step authentication process. When the user starts a transaction, the website of his provider appears first, as usual. However, as soon as a transaction has to be approved, the user automatically identifies himself to his own device, using the biometric recognition integrated into the device - or, if necessary, an external device such as a card reader via Bluetooth. Password and fingerprint scan can be combined, for example. The user thus largely decides for himself which method he wants to use to secure his financial transactions and does not have to deal with the technology in the background. This factor increases the acceptance of security measures. For higher-risk transactions, the provider can require additional recognition steps.
Authentication and public-key cryptography
If authentication on the device is successful, proven public-key cryptography comes into play. The system releases a private key for communication with the service provider, which now securely authenticates the user to the remote peer. In addition, the technology handles the unique release of the transaction, which is mandatory for financial transactions, in cooperation with common authorization frameworks. The technology is prepared for the user to use it from the same device with multiple transaction partners, thus also meeting the opening and flexibilization of the market laid out in PSD2.
Since asymmetric encryption forms the basis, both the user's biometric data and the private key for transaction approval can always remain stored on the user's device and never have to be sent over public networks. This relieves the burden on providers, who do not have to securely store corresponding information en masse and seal it off from large-scale hacks, and protects all parties from attacks lurking to transfer sensitive data.
Conclusion: front door key for mobile security
Currently, numerous companies and services such as Google, PayPal, Bank of America, NTT Docomo, BC Card (Korea), Microsoft, Dropbox, GitHub, AliPay, Ebay, Samsung and Facebook already rely on the procedure developed by the FIDO Alliance. Manufacturers such as NEVIS Security AG offer appropriately tested and certified security solutions. Thus, the most widespread "toy" of mankind may also become its most widespread security aid next to the front door key.