Millions of people utilize smartphones, tablets, and other mobile computing devices to perform various tasks. Some tasks may not pose major security risks, for example, taking photographs with a camera of the mobile device. However, some tasks may pose security risks, for example, utilizing the mobile device in order to access an online banking website, to perform electronic commerce (E-commerce) transactions of mobile payments (M-payments) transactions.
Some of the threats posed to a user of a mobile device may include, for example, a “phishing” scam in which an attacker presents to the user a mock web-page impersonating a legitimate banking site. The user may be induced into entering his username and password on the mock web-page, thereby allowing the attacker to capture the username and password which may be then used by the attacker to impersonate the real user and log-in to the real banking site.
Furthermore, mobile devices utilized in a corporate environment, and particularly in accordance with a “bring you own device” (BYOD) organizational policy, may expose both the user and the entire organization to risks of data loss or monetary loss. For example, an attacker may capture the username and password of a user and may utilize them to log-in to a corporate network or resource.
Some websites and some corporate organizations may require a password to have a minimum length (e.g., at least 8 characters) and/or a required entropy (e.g., having at least one letter and at least one digit). However, many users are incapable of memorizing a cumbersome password, and end-up choosing a weak password which may be easily cracked by a brute-force attack, or otherwise guessed. This is particularly true for users of mobile devices, in which the physical keyboard or the virtual (on-screen) keyboard are of a small form factor, which renders password entry tedious and effort-consuming. Furthermore, even a “strong” password may be captured from many users by an attacker which operates a “phishing” scam, or utilizes a software-based keylogger malware application.
Public-Key Infrastructure (PKI) attempts to mitigate security problems by utilizing digital certificates issued by a Certificate Authority (CA). However, cryptography-based authentication via PKI requires a cumbersome user enrollment process, often lacks a key repository at the client side, and often lacks a unified user experience.
Furthermore, securing the authentication process between the user of a mobile device and a service may not suffice to fully protect the user. For example, the service may provide confidential data which may be cached or stored in the mobile device, or may be captured by other applications (e.g., legitimate applications or malware modules) which may be running on the mobile device and which may optionally transmit the captured data over a communication network to a remote location. This problem may be partially mitigated by encryption of locally-stored or locally-cached data. However, the encryption often utilizes a weak user-selected password, which may be cracked by a brute-force attack, a dictionary attack, a keylogging module. Other encryption methods may be circumvented by a module which searches the mobile device for a locally-stored copy of the encryption key.