In recent years, apart from a standard PIN code solution, one-time passcodes and proprietary mobile apps have dominated mobile authentication. Both, however, are not without their limitations.
Regular account takeovers continue to highlight the challenges of securing access to online data. With so many online accounts featuring only the most basic password protection, its impossible for service providers to differentiate between authentic users and imposters.
In an effort to combat this, the industry historically adopted two methods of second factor authentication. They are:
Text messaging – the use of a one-time passcode (OTP) to a mobile device for out-of-band authentication.
Many service providers use OTPs to augment password-based authentication however they are still vulnerable to relatively common social engineering attacks. These include phishing and man-in-the-middle. Moreover, signal issues can often disrupt services in rural or remote areas, further limiting the method’s effectiveness.
In June 2018, The European Banking Authority published a paper bringing together several elements intended to overcome that challenge. It has led to the conclusion that SMS is not an appropriate method to deliver an OTP, and that the complete SMS OTP approach should be replaced by more secure methods – for example biometric authentication.
Native mobile app – leveraging a native device’s APIs to create a proprietary authentication method.
Creating a native mobile app, using a proprietary authentication method, is rapidly falling out of favour, largely due to the scale and flexibility of the standards-based options from FIDO Alliance.
There is, however, a third way.
GlobalPlatform empowers service providers and device manufacturers to ensure all devices are secure enough to protect against threats and attacks, and so enable the delivery of secure digital services to end users.
In parallel, GlobalPlatform is working with different industry alliances such as FIDO Alliance.
FIDO Alliance is focused on providing open and free authentication standards to help reduce the world’s reliance on passwords. To be trusted, however, the implementation of FIDO-based authentication calls for the enforcement of privacy and security requirements.
GlobalPlatform-certified Trusted Execution Environment (TEE) and Secure Element (SE) secure components enable a variety of authentication deployment scenarios on client-devices – like smart phones, tokens, wearables, and smart cards – and across a range of vertical markets. As such, they are perfectly suited to securing standardized authenticators for robust online authentication.
Industry Partner Comments
The use of mobile devices continues to grow around the world. Now more than ever, however, we must ensure secure online authentication solutions are in place.
GlobalPlatform-certified secure components enable the protection and secure management of digital services and, as such, are perfectly suited to securing FIDO Authenticators for robust online authentication. This allows OEMs to implement FIDO-based authentication and to safeguard the security, integrity and privacy of digital services from multiple providers deployed alongside each other on the same platform.- Andrew Shikiar, FIDO Alliance Executive Director & Chief Marketing Officer
Receive the latest news from GlobalPlatform