Smart phones and tablets are bringing great advances in computing, not just in the realm of form factors and mobility, but also in the areas of man-machine interaction and software architecture. But mobile devices have also created a challenge in the area of user authentication.
Passwords on mobile devices are difficult to enter, and they are less secure than on desktops or laptops because users are motivated to choose simpler passwords, and because characters are echoed as they are typed. One-time passwords are used more often on mobile devices to compensate for the diminished security of ordinary passwords, but they are even more cumbersome, and they provide only limited additional security.
We have invented a new authentication architecture for mobile devices that encapsulates cryptographic functionality in a Prover Black Box (PBB) located in the mobile device and a Verifer Black Box (VBB) located online, thus insulating developers of web-based as well as native mobile applications from the complexities of cryptography. It is described in the technical whitepaper
As the title indicates, our approach that we follow is really comprehensive. It encompasses public key certificates, U-Prove tokens, Idemix anonymous credentials, third-party login including social login, and returning user authentication with an uncertified key pair.
We have also invented, and integrated into the architecture, a technique for multifactor returning-user authentication where an uncertified key pair is regenerated from a protocredential and secrets supplied by the user such as a PIN and/or a biometric sample. The technique, described in the same paper, protects the private key against an adversary who captures the user’s mobile device without requiring tamper resistance.
The earlier paper
discusses how our authentication approach could be used for cryptographic and biometric authentication of Federal employees and contractors using mobile applications. See also the blog post
We made a presentation on the early stages of our mobile authentication work at the 2012 Cryptographic Key Management Workshop, followed by a more detailed presentation at the Internet Identity Workshop (IIW 15).
An important benefit of our multifactor authentication technique is that it provides an effective means of protecting data stored in a mobile device that has been lost or stolen. The data is encrypted under a (symmetric) data encryption key that is stored online and retrieved when the user turns on the device and authenticates with two- or three-factor authentication. The key can be entrusted to an online server provided by the mobile network operator, or by the mobile device manufacturer, or by the provider of the mobile operating system, or by an independent data protection service provider trusted by the user. It can also be split using Shamir’s secret sharing technique into n “portions” entrusted to n different servers, so that k portions are needed to reconstruct the key. For example, with n = 5 and k = 3, portions of the key can be distributed to 5 different servers, and any 3 of those portions can be used to reconstruct the key. Details can be found in the above-mentioned Comprehensive Approach paper as well as in the earlier paper