Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

NIST: In mobile authentication, think hardware, not software

Evan Schuman | Aug. 23, 2017
The National Institute of Standards and Technology is trying to bolster ecommerce authentication on desktops and mobile devices.

NIST: In mobile authentication, think hardware, not software
Credit: Thinkstock 

Retail is in an awkward in-between stage when it comes to online security. In shifting their purchasing to online options, shoppers are using both desktop computers and mobile devices. Had they moved straight to mobile, authentication options would be numerous, including selfies and other biometric authentication such as fingerprints.

But the National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NCCoE) is trying to bolster security and authentication on desktops and mobile devices. It was spurred to tackle its Multifactor Authentication for e-Commerce project because of the realization that increased security in the physical world (with such steps as cards with EMV chips) means thieves are going to start to focus more on card-not-present transactions.

According to the NCCoE, its recommendation for initiating multifactor authentication borrows from a technique that is already widely used on retail sites. A user could start shopping online with minimally invasive authentication - simply username and password or even auto-login. But as circumstances merit, more could be required. That decision would be based on factors such as "the nature of the product, a known IP address associated with the customer, typical geolocation, and consistency with past patterns of online purchases," NIST said. In other words, your shopping history and use of various devices at various locations would be analyzed to see if you are behaving unusually - and perhaps are not you.

What is interesting is the nature of the additional authentication the NCCoE recommends.

With desktop ecommerce today, secondary authentication often involves texting a one-time code to a mobile device - a not terribly secure approach, since the text can be intercepted. A better approach would be to authenticate the desktop device itself via such details as OS version, apps that are loaded, serial numbers of those apps, number of images stored, number and names of songs stored, and folder names.

Steven Sprague is the CEO of Rivetz, one of the vendors working with the NCCoE on this effort. Sprague argues that a lot of mobile authentication efforts make the mistake of functioning within software.

"Software code is easily altered, and memory can be copied," he said. "The [whole] software process can be observed. You simply cannot hide a secret in the operating system. It's time to finally do it correctly, with hardened keys within the device." 

Like so much in mobile today, Apple has been leading this fight, starting with the iPhone's hardware chip-based secure element.

But to be fair, Apple has a far easier path to hardware security because it has complete control over all iOS devices. That's far from the case in the Google Android world, where it's all handset manufacturers for themselves.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.