Providers of services in electronic channels are faced with the challenges of authenticating the users of their services. The ability to provide secure user authentication is necessary for many electronic services.
Service providers that require strong user authentication often issue one or several authentication factors to a user, which the service provider later can use to authenticate the user. If the user is issued with more than one authentication factor, and the user is required to provide all authentication factors at an authentication incident, the risk of false incidents is greatly reduced. If, in addition, the authentication factors are of different nature, and each give a unique identification of the user, and the authentication data produced are secret to others than the user and the service provider, the authentication solution becomes what is known in the art as a strong multifactor authentication solution.
Authentication factors commonly used are a knowledge factor (‘something you know’, like a password or PIN code) and a possession factor (‘something you have’, like an electronic one time password generator, a security client with private encryption keys stored in computer memory or on a chip card, printed lists of onetime pass codes and others). In addition, biometric data (‘something you are’, like digital representations of a fingerprint or Iris scan) is sometimes used as an authentication factor.
Possession factors are often physical of nature, like chipcards, password calculators/tokens, or scrap cards. Issuing physical possession factors represents often a significant cost for service providers and is often viewed as inconvenient by the users. Therefore, it can be of interest to service providers and users to utilise a general available personal data terminal already in the hands of the user as a secure possession factor. Examples of personal terminals that can be attractive to utilise as possession factors are mobile phones, portable computers, handheld computers like PDAs and smartphones and personal entertainment terminals.
Several methods where personal data terminals are used for user authentication are known. One known method is where a service provider registers the mobile subscription numbers of users and in an authentication process distributes a shared secret to the mobile terminal of the user, requiring the user to return the shared secret in another electronic channel. The weaknesses with this method are that the sender (service provider) can not verify the identity of the receiving party (user), the shared secret is produced on a server; hence there is no reference to a possession factor in the authentication response and the mobile device is used as a communication terminal only. Finally, the mobile terminal is not regarded as a safe environment for containing shared secrets; for example shared secrets can be divulged in the network or read by, or redistributed to, another party from the mobile terminal.
US 2003/0204726 A1 provides such a method where the shared secret, or authentication response, is distributed in encrypted format to a mobile terminal. The encrypted authentication response is then transferred from the mobile terminal to a client, the client is holding the encryption key and the client can therefore decrypt the authentication response. In US 2003/0204726 A1 an encryption key is distributed between the client and the server at every authentication incident. A method where the encryption key is not transmitted at every authentication incident would represent a method with improved security.
Another method involves the implementation of a security element (like a 3DES client or a PKI client) in a personal data terminal memory, the security element containing user sensitive data. The possession factor in this method is the user sensitive data, for example private encryption keys. The security element can be encrypted by a knowledge factor (a PIN or a password). One problem with this method is that the security element can be copied and the user sensitive data may be revealed by for example a trial-and-error attack on the knowledge factor. Copies of the user sensitive data can be produced, thereby reducing the reliability of this method as a secure possession factor.
Mobile terminals of the GSM-standard and others have a chip card installed, a SIM card, where mobile operators store mobile subscriber authentication data and other network data. The SIM card is a tamper resistant hardware token and is a secure storage container for security elements. Thus, the SIM card is a secure possession factor in a mobile terminal. The limitations of using the SIM card as a possession factor for service providers is that the SIM card is not an open platform, and access to the SIM requires agreements with the mobile operators. Opening up the SIM to other service providers can expose the SIM to new security threats, and/or it is costly for service providers to meet the security requirements of mobile operators in order to being allowed access to the SIM. The SIM card offers limited memory capacity and a complicated provisioning and life cycle management. For example, the life time of a SIM-based security element issued by a service provider will end when the mobile operator or subscriber changes SIM.
The IMEI code is an example of a code being unique, associated with the personal terminal and residing in the personal terminal. Other examples of such codes are a MAC, a processor number, an Electronic product code—EPC or a SIM serial number—SSN. But, these codes being unique, associated with the personal terminal and residing in the personal terminal, they are not secret and they can be read and copied into other environments. If these codes are used as the only representation of a user's possession factor, they can be used to produce false incidents by skilled intruders who have obtained copies of the codes. Such a method is described in Patent Application NO20050152 where a reproducible security code for user authentication is produced by means of a programmable user device in which an equipment identifier uniquely identifying the user device is pre-stored, and using the equipment identifier as a representation of the possession factor in a user authentication.
A method of utilising mobile terminals for user authentication is described in WO 01/31840A1 where the IMEI of a mobile terminal is utilised as the representation of the physical element, or the possession factor, in the authentication solution. The method of WO 01/31840A1 does not include methods for protection against the threats of producing false incidents based on copies of the codes being unique, associated with the personal terminal and residing in the personal terminal, nor it is describing any methods of authenticity control of the originator and receiver of the arrangement to further protect the method from malicious attacks. The method is based on storing and using user authentication data on the receiving end, thereby adding additional risk of exposing user authentication data to intruders. Finally, the method relies on using time as the only undisclosed element in the calculation of the user authentication data (the one time password), time being a variable that is relatively easy to determine, and where there are no known solutions for synchronising the clock of a mobile terminal handset with other systems, making it difficult to produce a long and unpredictable variable based on time in a user authentication arrangement on a mobile terminal.
US 2003/0236981 and US 2004/0030906 describe a method where the use of a code being unique, associated with the personal terminal and residing in the personal terminal, the IMEI of a mobile terminal, is used to protect a personal data terminal against malicious attacks. This method does not use a personal data terminal in a process to produce a user authentication to a service provider, and this method does not take into consideration the above mentioned threats of using the IMEI as the only reference for a secure possession factor.
An invention for using the mobile terminal for electronic payment services in an environment with short range communications (RfID) is described in US2005/0187882, where a user is issued a separate token for user authentication. The utilisation of a mobile terminal as a secure possession factor could enable a service provider to produce user authentication data from an arrangement on the mobile terminal itself, thus eliminating the need to issue a separate physical token to the user as described in US2005/0187882. Avoiding the use of a physical token is significant for the user subscribing to several services from a service provider or subscribing to services from several service providers.
Several methods to utilise a general available personal data terminal as a possession factor for user authentication exist. Codes being unique, associated with the personal terminal and residing in the personal terminal are present in different types of personal data terminals. But, these codes are not secret and they can be read and copied into other environments. If these codes are used as the only representation of a user's possession factor, they can be used to produce false incidents by skilled intruders who have obtained copies of the codes
Further, using the above mentioned codes as the only representation of a user's possession factor will not produce a possession factor that is unique if the possession factor is used by more than one service provider. The service provider can not know whether or not the same possession factor is reused by other service providers. It will improve the trust in the possession factor if the service provider knows that the user authentication data (e.g. a user code) produced from the possession factor is only valid for one user registration, and that the same user authentication data is not used in any other service providers registrations.
An additional identified problem with using codes being unique, associated with the personal terminal and residing in the personal terminal as a possession factor is that the service provider must be certain that the code is read from the actual personal terminal, and not from another environment.
In JP2003410949, a system and method are disclosed that generate unique codes and displays the code on the mobile terminal, e.g. in the form of a picture. This code is then used for accessing a service, like a cash withdrawal or a payment. Aside from requiring additional user interaction, the method has a weakness in that the code can unintentionally be disclosed from the display. Also, this method has not a registration procedure with each service provider—so the initial verification of the user's identity is left to a common procedure for all and not to the security standard chosen by each provider, like only to register the client if the mobile terminal and the user are present at the provider's premises.
GB2337908 describes a method where a PC card pager is issued with a host-generated one time password and an encryption table, and where a user authenticates by encrypting authentication information with an encryption key from the encryption table. This method is based on issuing a new one time password for every new authentication and it stores the encryption list in the PC card pager. Thus, the method is exposed to threats of copying the encryption table and of securing the distribution of one time passwords. Further, the method does not generate a reproducible user code, which can be used many times as a possession element for user identification and that can be used for authentication, signing and encryption purposes.
In order to create a secure possession factor from a generally available personal terminal, the personal terminal containing one or more codes being unique, associated with the personal terminal and residing in the personal terminal, an arrangement associated with the personal terminal must secure that:                the possession factor cannot be reproduced or copied;        the possession factor is unique for the service provider, such that the service provider is able to recognise a unique possession factor issued to a user from one specific registration incident;        the personal terminal is actually used in the production of the possession factor.        