[Dave Birch] A discussion that I was in earlier today reminded about a point made earlier in the year. I was discussing the idea of using software in mobile phones instead of bank-provided "tokens". It's superficially very attractive, but it needs the operators to get on board. And then service providers, such as banks, may not want to use it because they don't want someone else in between them and their customers. While the mobile phone with a SIM is an excellent repository for phishing-resistant credentials, the fact the mobile operators control access to the SIM (and often severely restrict that access) turns many people off. On the other hand, if the mobile phone were to be used as part of a standard open authentication scheme -- so if the operator doesn't play ball, banks (or whoever) had plenty of choice of alternative tokens -- then that's not so much of a barrier. With the continued progress of OATH (who we've spoken to before) in making interoperable authentication practical, this scenario isn't particular far-fetched if there's a convenient way of implementing OATH in the phone.

Technorati Tags: identity, mobile

Plenty of people out there are looking at ways of using mobiles for 2FA. Another initiative, securePay, was announced in the UK recently. I'm not sure why mobiles in general, and SMS in particular, aren't used more already, especially when you consider the extent to which text messaging dominates the customer's communications. Tomi Ahonen pointed me at the JD Power annual survey of 3,000 U.K. phone users and its amazing 2007 findings. First of all, remember that the U.K. is one of Europe's leading mobile markets with almost 120% mobile phone subscriber penetration (European average penetration went past 100% last year), well above average mobile industry revenues, perhaps the world's most competitive mobile market with four operators with near identical market share (Vodafone, O2-Telefonica, Orange and T-Mobile all have between 30% and 20% market share) and a fifth the start up Three/Hutchison growing fast and leading in the 3G space. The U.K. also has a most vibrant MVNO market with Virgin Mobile. UK SMS text messaging usage levels have been near the European lead every year since. Now let's look at the figures. Voice calls by prepaid customers fell by 28% last year, by postpaid customers fell by 22%. But text messaging was up 43% and the average U.K. mobile user now sends six per day. The European average is less than two per day, and the American average less than one-half day. Tomi says that American SMS usage per subscriber follow almost exactly the U.K. usage with a four year lag

.

With the customers' revealed preference for text messaging, I think there's plenty of mileage in using SMS 2FA (either in vanilla SIMs or with a SIM Toolkit enryption/authentication application) not just to secure the transactions that are targeted by current 2FA (eg, home banking, corporate VPN) but in more general use. SMS 2FA is extremely cheap, and extremely effective. It needs virtually no consumer education and when used in a simple way (ie, when you try and log in to your bank, they send you a "token" by text) would make an impact on a range of attacks. And, crucially, it is not subject to the man-in-the-middle attack that is the Achilles' Heel of token authentication.

My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]

Comments

Perhaps I'm missing something, but I don't understand how being sent a token by SMS avoids man-in-the-middle attacks. It might help if it is required for doing each money transfer, but I don't see how it can help with initial authentication.

Posted by: Chris Rimmer | 19/06/2007 at 02:35 PM