The present invention relates to improving security for a mobile device using a host computer system, improving identity and access management for a mobile device, and improving user authentication for a mobile device.
Computer security is improved by requiring potential users to provide so-called “two factor authentication”: two components to prove the user's identity. Typically, the first factor is something that the user knows, such as a password, while the second factor is something that the user has, such as a magnetic stripe card or a “smart card” that includes a computer chip, sometimes referred to as a personal identity verification (PIV) card or common access card (CAC). However, when a user uses a mobile device to access a computer system, such as a smartphone, there are difficulties in using a card, as mobile phones are generally unable to read magnetic stripe cards or smart cards, and it is undesirable to require that a user carry an external card reader device.
In mobile telephony, an integrated chip that stores the subscriber's identity is referred to as a subscriber identity module (SIM) chip, designed to be transferred between mobile devices. The SIM circuit is part of a universal integrated circuit card (UICC) physical smart card. A SIM card contains its unique serial number (ICCID), international mobile subscriber identity (IMSI) number, security authentication and ciphering information, temporary information related to the local network, a list of the services the user has access to, and two passwords: a personal identification number (PIN) for ordinary use, and a personal unblocking code (PUC)—sometimes referred to as a pin unlocking key (PUK)—for PIN unlocking.
The National Institute of Standards and Technology (NIST), responding to a directive for a common identification standard to promote interoperable authentication mechanisms at graduated levels of security based on the environment and the sensitivity of data, coined the term “derived credentials” (DC), later updated to “derived PIV credentials” (DPC), to refer to cryptographic credentials that are derived from those in a PIV or CAC and carried in a mobile device instead of the card. Thus, DC are a “soft token” carried on the mobile device itself. The mobile device becomes the second factor: what you have. The first factor, what you know, is the password that the user provides to unlock the soft token. Then, the soft token uses its stored DC value to verify the user's identity, such as by querying a Certificate Authority to ensure that the user's credential value is still valid. DC improve mobile authentication via mobile devices with the levels of security demanded by government agencies.
NIST Special Publication 800-157 allows a user to request their DC using their PIV smartcard instead of a face-to-face identity verification, up to Level of Assurance (LOA) 3. On typical smartphones, there are four storage options for the DC: (i) native key store in non-volatile memory, (ii) MicroSD card, (iii) UICC/SIM card, and (iv) embedded within software.
A DC management system must control the issuance, maintenance and revocation of mobile credentials in a simple and secure manner, allowing large organizations to scale to enterprise-wide deployment. Examples of DC management systems are: (a) MyID from Intercede, (b) IdExchange from CyberArmed, (c) Entrust Identity Guard from Entrust DataCard, (d) Digital Authentication Framework with MyID Authenticator from Good Technology, and (e) Unified Credential Management System from SecuEra Cryptovision.
There is room for improvement in DC management systems.