Present invention generally relates to security in services provided to mobile communication device users in a communications network. More specifically, it relates to authentication of mobile device users based on electromagnetic field measurement and on the use of a magnetic object (also called magnetic token) associated to the user.
Mobile communication devices (also called mobile devices), such as cellular or mobile telephones, tablets, i-pads, notebooks . . . are everyday more and more used. And these devices are used not only to place telephone calls but for an enormous range of services. The use of mobile communication devices to provide an everyday wider range of services makes essential a security environment where the mobile device user (to which the service is provided) is univocally identified, in order to ensure that the service is provided to the correct user and not to an unauthorized user.
The need of identifying users consuming different types of services is closely related to the prevention of identity theft but privacy security must also be taken into account. It is therefore of extreme interest to establish whether users are who they claim to be, but it is as much important to keep confidentiality about the exchanged information in such process.
The user identification process is usually based on some credentials, whose ownership and verification guarantee to check the user identity. The used credentials are usually emitted by a trusted authority and are theoretically impossible (or at least extremely difficult) to falsify, allowing to determine whether the users corresponds to who they claim to be or not.
The user identification process is built on top of the so called validation or authentication mechanisms. Such mechanisms are designed to validate some information that the user brings in order to access the requested (digital) services. The carried information (which the user provides to the authentication mechanism to be validated) usually fall into one of the following categories: something that the user knows (e.g., a secret keyword), something that the user owns (e.g., an physical object also called physical token, like a smartcard, a SIM card, an NFC tag . . . ), something that the owner is (e.g., any measurable physical feature, univocally identifying the user, like fingerprints or iris identification), something that the user does (e.g., motion patterns), or somewhere that the user is (e.g., being in a specific location). This information is what is known as identifier or digital credential. Sometimes a combination of information belonging to different of these categories is used, in order to improve security.
It is important to notice that in the digital world a physical check of the user may not be performed. As such there exist a high probability of leaked credentials that are used for identity fraud. In order to minimize such probability of fraud, identification (authentication) systems require the combination of different kinds of information (information belonging to different categories among the ones stated in the previous paragraph or belonging to the same category but being of different type, for example fingerprints and iris identification) in order to obtain resilient results, improving therefore security. Each kind of information used in the process is referred to as “authentication factor” or “identification factor”. The different used authentication factors may be carried by different and independent channels, in order to guarantee robustness of the identification solution. For instance, a password may be required through an https based connection, while a biometric information may be required through a mobile phone. In this way, an attacker willing to access the service impersonating the real user, should attack the system executing the browser, the https channel for obtaining the password, and, moreover, attack the mobile phone or its connection with the target system.
These independent channels used to transmit the different authentication factors are known as side-channels or out-of-the-band-channels. Many different proposals exist to implement such side-channels, even if the growing usage of mobile phones in recent years make solutions based on that technology the winning ones. As such, for example, SMS, HTTPS, SSL (Secure Sockets Layer), and other mobile communications technologies are ones of the most frequently used technologies to implement the transmission of different authentication factors. Equally, the most used authentication factors follow the evolution of smart phones and exploit the growing number of functionalities they embed and theirs growing precision. In particular, cameras, microphones, accelerometers, capacitive screens and peripherals (e.g., stylus) are all used to support authentication factors in user identification solutions, usually based on biometry. On the other side, communications technologies as for example Bluetooth, NFC (Near Field Communications) and similar are generally used to support authentication factors based on “something that the user owns”, like a hardware token (NFC card, etc.). In this case, the hardware token will transmit its identification to the authentication system using any of these technologies (Bluetooth, NFC . . . ).
The effectiveness of any identification/authentication solution against another cannot be measured only in terms of security—as many of them are equivalent on that aspect—but rather account also for usability, ease of implementation, cost and energy consumption. Only by keeping into account all these aspects at the same time it is possible to obtain a wide adoption of the authentication solution by the users.
Hence, there is a need of a technical solution for authenticating mobile devices users in a highly reliable way and that, at the same time, is usable, easy to implement, simple, cheap and with minimum energy consumption