Using NFC, IBM brings dual-factor authentication to mobile
Dual-factor authentication can work by combining smartphones and PCs, but that approach needs to be updated for the mobile era. An new IBM technique combines near-field communications and smartphones.
ZURICH, Switzerland -- Banks and major Web sites often combine passwords with people's phones to offer more secure two-factor authentication when logging onto a service with a PC. But what happens when you're logging on using a phone?
With a new approach IBM started touting today, NFC, or near-field communications, will fill the void.
NFC wireless links can be used to let people exchange contact information by bumping phones together or to pay for products by waving a phone close to a payment terminal, but it also can be used to enable dual-factor authentication in the mobile device era, said said Diego Ortiz-Yepes, a security and encryption researcher at IBM Research in Zurich.
"When you use your phone to access the service, the phone is no longer the second factor," he said, speaking to reporters at a press event here Wednesday. An NFC-enabled credit card issued by a bank or other authority serves as the second factor, he said.
Dual-factor authentication offers more security since it means a password alone isn't enough to break into another person's account. The password must be supplemented by something a person has. For example, Google's dual-factor authentication uses a smartphone running an app that generates a one-time passcode, and some financial institutions issue key fobs that will generate a passcode number on demand.
Here's how IBM's approach works, using an app for using your bank as an example:
First, you load up the bank's app. It sends a special challenge number to your phone.
Next, the app asks you for your password. But here's the catch: after you enter it, you tap your phone against the NFC-enabled card your bank gave you.
Third, the phone transfers the challenge number to the card using NFC, the card transforms it through a calculation based on its own key, then sends it back to the phone, which sends it to the bank. Authentication fails if a person types in the wrong password or uses the wrong or no card.
The approach is designed to be more secure but not such a hassle that people will shun it, Ortiz-Yepes said.
"If something is cumbersome to use, with 20,000 steps to get yourself authenticated with your bank, it could have the coolest math behind it but nobody's going to use it," he said.
But don't expect the approach to catch on fast. Many Android phones support NFC, but so far Apple has shunned it. That means IBM's approach wouldn't work with a key customer segment. That wouldn't stop them from offering it to some customers, but it could put a big damper on their enthusiasm.