Using NFC, IBM brings dual-factor authentication to mobile

Dual-factor authentication can work by combining smartphones and PCs, but that approach needs to be updated for the mobile era. An new IBM technique combines near-field communications and smartphones.

Diego Ortiz-Yepes of IBM Research in Zurich describes his approach for dual-factor authentication using mobile devices.
Diego Ortiz-Yepes of IBM Research in Zurich describes his approach for dual-factor authentication using mobile devices. Stephen Shankland/CNET

ZURICH, Switzerland -- Banks and major Web sites often combine passwords with people's phones to offer more secure two-factor authentication when logging onto a service with a PC. But what happens when you're logging on using a phone?

With a new approach IBM started touting today, NFC, or near-field communications, will fill the void.

NFC wireless links can be used to let people exchange contact information by bumping phones together or to pay for products by waving a phone close to a payment terminal, but it also can be used to enable dual-factor authentication in the mobile device era, said said Diego Ortiz-Yepes, a security and encryption researcher at IBM Research in Zurich.

IBM's dual-factor authentication for mobile devices combines a user password with an NFC-linked card to improve login security.
IBM's dual-factor authentication for mobile devices combines a user password with an NFC-linked card to improve login security. IBM

"When you use your phone to access the service, the phone is no longer the second factor," he said, speaking to reporters at a press event here Wednesday. An NFC-enabled credit card issued by a bank or other authority serves as the second factor, he said.

Dual-factor authentication offers more security since it means a password alone isn't enough to break into another person's account. The password must be supplemented by something a person has. For example, Google's dual-factor authentication uses a smartphone running an app that generates a one-time passcode, and some financial institutions issue key fobs that will generate a passcode number on demand.

Here's how IBM's approach works, using an app for using your bank as an example:

First, you load up the bank's app. It sends a special challenge number to your phone.

Next, the app asks you for your password. But here's the catch: after you enter it, you tap your phone against the NFC-enabled card your bank gave you.

Third, the phone transfers the challenge number to the card using NFC, the card transforms it through a calculation based on its own key, then sends it back to the phone, which sends it to the bank. Authentication fails if a person types in the wrong password or uses the wrong or no card.

The approach is designed to be more secure but not such a hassle that people will shun it, Ortiz-Yepes said.

"If something is cumbersome to use, with 20,000 steps to get yourself authenticated with your bank, it could have the coolest math behind it but nobody's going to use it," he said.

But don't expect the approach to catch on fast. Many Android phones support NFC, but so far Apple has shunned it. That means IBM's approach wouldn't work with a key customer segment. That wouldn't stop them from offering it to some customers, but it could put a big damper on their enthusiasm.

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.

 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

HOT ON CNET

Find Your Tech Type

Take our tech personality quiz and enter for a chance to win* high-tech specs!