Mobile Two-factor Two-channel Authentication with Contract
Nowadays there are no universal strong authentication services available in the Internet, i.e. all authentication methods are either service related or shared between multiple services and they use password authentication. Users are frustrated with various usernames and passwords and they know how unsecure passwords are.
Mobile Signature Service is the only technology which can implement a universal strong authentication service. Actually there are no competing open standard technologies available.
Because user authentication is critical infrastructure for banks and institutions, they doubt the Mobile Signature Service which is under mobile operator control. Therefore we believe that mobile operators should play with fair game rules – Mobile Signature Service is not only an enabling service for a mobile operator but also critical infrastructure for application providers.
Mobile Signature Service has four major assets:
- Two-factor authentication: “Something you have and something you know” is a fundamental requirement for the strong two-factor authentication.
- Separate authentication channel: The user accesses the service for example over the internet and the authentication happens using the mobile network. No user plain credentials (like passwords or PIN entries) are transferred over either channel.
- Built-in revocation support: If the user loses his/her mobile phone, the mobile operator can disconnect the device immediately from the network. This makes mobile phone SIM cards more secure PKI devices than any other phone plugged PKI token.
- Ubiquitous multipurpose device: Users take their mobile phones everywhere and they take care of them. No one wants to take care of separate tokens.
Mobile Signature Service as defined in SAML2 authentication context consists of following properties from a mobile user point-of-view:
- Mobile – you can carry it with you
- Two-factor – you can trust on security, what you have (SIM card) and what you know (SPIN)
- Two-channel – you can use a service channel you prefer and a separate wireless communication channel for authentication, always the same authentication experience
- Contract – you make a mobile subsribtion contract with your mobile service operator
From the Application Provider’s point-of-view authentication context can be defined as following:
- Mobile – Service with authentication can be used everywhere
- Two-factor – user identity has a high level of assurance
- Two-channel – Service authentication sequence flow is simple
- Contract – no need to maintain users’ tokens, passwords or any other credentials or provide authentication service helpdesk