User Authentication and Data Protection on Mobile Devices

Smart phones and tablets are bringing great advances in computing, not just in the realm of form factors and mobility, but also in the areas of man-machine interaction and software architecture. But mobile devices have also created a challenge in the area of user authentication.

Passwords on mobile devices are difficult to enter, and they are less secure than on desktops or laptops because users are motivated to choose simpler passwords, and because characters are echoed as they are typed. One-time passwords are used more often on mobile devices to compensate for the diminished security of ordinary passwords, but they are also cumbersome and provide only limited additional security.

We have invented a new authentication architecture for mobile devices that encapsulates cryptographic functionality in a Prover Black Box (PBB) located in the mobile device and a Verifer Black Box (VBB) located online, thus insulating developers of web-based as well as native mobile applications from the complexities of cryptography. It is described in the technical whitepaper

As the title indicates, the approach that we follow is really comprehensive. It encompasses public key certificates, U-Prove tokens, Idemix anonymous credentials, third-party login including social login, and returning user authentication with an uncertified key pair.

We have also invented, and integrated into the architecture, a technique for multifactor returning-user authentication where an uncertified key pair is regenerated from a protocredential and secrets supplied by the user such as a PIN and/or a biometric sample. The technique, described in the same paper, protects the private key against an adversary who captures the user’s mobile device without requiring tamper resistance.

Data Protection

An important benefit of our multifactor returning-user authentication technique is that it provides an effective means of protecting data stored in a mobile device that has been lost or stolen. The data is encrypted under a (symmetric) data encryption key that is stored in a secure back-end. The authentication technique is used to authenticate to the back-end and retrieve the key. The back-end may be an online server provided by the mobile network operator, or by the mobile device manufacturer, or by the provider of the mobile operating system, or by an independent data protection service provider trusted by the user. Details can be found in the above-mentioned Comprehensive Approach paper as well as in the earlier paper

Relationship to Derived Credentials

Our work on derived credentials is based on the idea of credential regeneration from a protocredential and user-supplied secrets. As explained in a separate page, we proposed first a derived credentials architecture that used the regenerated key pair as a derived credential, as well as a PBB and a VBB; more recently we have proposed an alternative architecture that securely stores credentials of the same kind as those in a PIV/CAC card, including authentication and secure mail credentials, using the data protection technique.