WO2015103031A1 - A method and apparatus for securing a mobile application - Google Patents

A method and apparatus for securing a mobile application Download PDF

Info

Publication number
WO2015103031A1
WO2015103031A1 PCT/US2014/072102 US2014072102W WO2015103031A1 WO 2015103031 A1 WO2015103031 A1 WO 2015103031A1 US 2014072102 W US2014072102 W US 2014072102W WO 2015103031 A1 WO2015103031 A1 WO 2015103031A1
Authority
WO
WIPO (PCT)
Prior art keywords
nfc
transfer device
dynamic credential
user
dynamic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2014/072102
Other languages
English (en)
French (fr)
Inventor
Dirk Marien
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Onespan International GmbH
Onespan North America Inc
Original Assignee
Vasco Data Security International GmbH
Vasco Data Security Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vasco Data Security International GmbH, Vasco Data Security Inc filed Critical Vasco Data Security International GmbH
Priority to JP2016544601A priority Critical patent/JP6556145B2/ja
Priority to KR1020167020999A priority patent/KR101706173B1/ko
Priority to CN201480074247.6A priority patent/CN106233689B/zh
Priority to EP14827678.5A priority patent/EP3090521B1/en
Publication of WO2015103031A1 publication Critical patent/WO2015103031A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the invention relates to securing remote access to computers and applications and remote transactions over computer networks. More specifically, the invention relates to methods and apparatus for authenticating users using a smartphone to access a remote application.
  • the invention is based on an insight of the inventors that most smartphones nowadays support NFC (Near Field Communication) technology to
  • NFC can for example by used to communicate with contactless smart cards.
  • the operating system of a number of smartphones don't give access to a low level API to directly exchange commands and responses over NFC with an NFC tag. Instead they may only support some limited high level services over NFC.
  • One aspect of the invention provides an authentication device for securing interaction of a user with a computer based application.
  • the authentication device may comprise a memory component adapted to store a secret key; a data processing component adapted to generate a dynamic credential by cryptographically combining said secret key with the value of a dynamic variable; a Near-Field Communication (NFC) interface to couple the authentication device to an NFC transfer device; whereby the authentication device may be adapted to: present itself to said NFC transfer device as an NFC tag ; make said generated dynamic credential available to said NFC transfer device by including said dynamic credential in first data contents of said NFC tag that can be read by said NFC transfer device using NFC mechanisms for reading data contents of NFC tags.
  • NFC Near-Field Communication
  • the authentication device may comprise an
  • authentication device of any of the previously described embodiments may be further adapted to present itself as an NFC Forum-compliant tag of Type 1, Type 2, Type 3 or Type 4 and to make said generated dynamic credential available to said NFC transfer device by including said dynamic credential in an NFC Data Exchange Format (NDEF) record of an NDEF message of an NDEF file of the authentication device for said NFC transfer device to read using NFC mechanisms for reading NDEF messages from NFC Forum-compliant tags.
  • NDEF NFC Data Exchange Format
  • the authentication device may comprise an
  • authentication device of any of the previously described embodiments may further comprise a clock and wherein said dynamic variable may be based on a time value provided by said clock.
  • the authentication device may comprise an
  • said dynamic variable may be based on an event related value that is stored in said memory component and that may be updated by the
  • said specific event may coincide with said generation of said dynamic credential.
  • said event related value may comprise a counter that may be monotonically incremented or decremented by said authentication each time said specific event occurs.
  • the authentication device may comprise an
  • said cryptographically combining said secret key with the value of said dynamic variable may comprise applying a symmetric cryptographic algorithm to said dynamic variable whereby said symmetric cryptographic algorithm is parameterized with said secret key and whereby said secret key is shared with an entity for verifying said generated dynamic credential.
  • the authentication device may comprise an
  • authentication device of any of the previously described embodiments may be further adapted to store a user identifier and to make said user identifier available to said NFC transfer device by including said dynamic credential in data contents of said NFC tag that can be read by said NFC transfer device using NFC mechanisms for reading data contents of NFC tags.
  • the authentication device may comprise an
  • authentication device of any of the previously described embodiments that may further comprise a user input interface for capturing an input from said user and that may be further adapted to require a specific input from said user as a condition for said generating said dynamic credential and/or for said making said generated dynamic credential available to said NFC transfer device.
  • said user input interface may comprise an activation button and said specific input may comprise the user pressing said activation button.
  • the authentication device may be further adapted to be activated by the user by said user input interface and the authentication device may present itself to said NFC transfer device as an NFC tag only after the user has activated the device by using said user input interface.
  • the authentication device may comprise an
  • the authentication device of any of the previously described embodiments that may be further adapted to be permanently or semi-permanently fixed to said NFC transfer device.
  • the authentication device may further comprise an adhesive component for attaching the device to said NFC transfer device.
  • the authentication device may be comprised in a protective shell or a protective cover of an access device comprising said NFC transfer device.
  • the authentication device may further comprise a user input interface and a user output interface, wherein said external data may comprise transaction data and wherein the device may be further adapted to present said transaction data to the user and to capture with said input interface an approval or a rejection by said user of said presented transaction data and to generate said dynamic credential and/or for make said generated dynamic credential available to said NFC transfer device only if said user approved said presented transaction data.
  • said user input interface may comprise an approval button for capturing said approval and a rejection button for capturing said rejection.
  • the authentication device may be further adapted to not present itself to said NFC transfer device as an NFC tag for a certain period after having received said external data from said NFC transfer device and to present itself again to said NFC transfer device only after said user approved or rejected said presented transaction data.
  • authentication device of any of the previously described embodiments may be further adapted to: receive a password value from said NFC transfer device by extracting said password value from third data contents of said NFC tag that have been updated by said NFC transfer device using NFC
  • Another aspect of the invention provides a system for securing interaction of a user with a computer based application.
  • the system may comprise any of the authentication devices of the previously described embodiments.
  • the system may comprise: an authentication device for generating a dynamic credential; an application server for hosting a server part of said application and verifying said dynamic credential generated by said authentication device; and an access device for allowing said user to access said computer based application, the access device connected to the application server by a computer network and adapted to obtain said dynamic credential from said authentication device and to forward said obtained dynamic credential to said application server for verification;
  • said access device may comprise an NFC transfer device; and said authentication device may comprise a memory component adapted to store a secret key, a data processing component adapted to generate said dynamic credential by cryptographically combining said secret key with a first value of a first dynamic variable, and a Near-Field
  • NFC Network Communication
  • the system may comprise any system of the previously described embodiments whereby said cryptographically combining said secret key with said first value of said first dynamic variable may comprise performing a symmetric cryptographic algorithm on said first value of said first dynamic variable whereby said symmetric cryptographic algorithm may be parameterized with said secret key and whereby said secret key may be shared between said authentication device and said application server and whereby said application server may use a server copy of said secret key to ' verify said dynamic credential .
  • the system may comprise any system of the previously descri bed embodiments whereby said authentication device and said access device may share a binding secret; said access device may be further adapted to communicate to said authentication device a binding value that the access device may have derived from said binding secret, whereby the access device may communicate the binding value to the authentication device by said NFC transfer device updating second data contents of said NFC tag using NFC mechanisms for updating data contents of NFC tags; and said authentication device may be further adapted to : receive said binding value from said access device by extracting said binding value from said second data contents of said NFC tag that have been updated by said NFC transfer device using said NFC mechanisms for updating data contents of NFC tags; verify said received binding value using said binding secret; and generate said dynamic credential and/or make said generated dynamic credential available to said NFC transfer device only if the authentication device has successfully verified the correctness of said received binding value.
  • Yet another aspect of the invention provides a method for secu ring interaction of a user with a computer based application.
  • the method may be used with any of the authentication devices or any of the systems of the previously described embodiments.
  • the method may comprise the steps of: at an authentication device that comprises a Near-Field Communication (NFC) interface to couple the authentication device to an NFC transfer device generating a dynamic credential by cryptographically combini ng a first value of a first dynamic variable with a secret key that is stored in said authentication device and shared with an application server that is hosting a server part of said application; the authentication device presenting itself to said NFC transfer device as an N FC tag ; at the authentication device making said generated dynamic credential available to said NFC transfer device by including said dynamic credential in first data contents of said NFC tag that can be read by said NFC transfer device using NFC mechanisms for reading data contents of NFC tags; allowing said user to access said computer based application using an access device that comprises said NFC transfer and that is connected to the
  • NFC Near-Fi
  • an authentication device that presents itself to the smartphone as a standard passive NFC memory tag.
  • the smartphone may be an NFC Forum-compliant device.
  • the authentication device may comprise or present itself as an NFC Forum compliant tag.
  • the NFC Reader/Writer Mode may be used .
  • the smartphone may take on the NFC Reader/Writer role.
  • aspects of the communication between the smartphone and the authentication device may be defined in at least some of the NFC Forum Technical Specifications, such as for example the NFC Digital Protocol Technical Specification, or the NFC Activity Technical Specification, and other specifications and standards such as for example ISO/IEC (International Organization for Standardization / International Electrotechnical Commission) 18092, ISO/IEC 18000-3, ISO/IEC 14443 (type A or type B), and Japanese Industry Standard (JIS) X 6319-4.
  • NFC Forum Technical Specifications such as for example the NFC Digital Protocol Technical Specification, or the NFC Activity Technical Specification
  • ISO/IEC International Organization for Standardization / International Electrotechnical Commission
  • ISO/IEC 18000-3 International Electrotechnical Commission
  • ISO/IEC 14443 type A or type B
  • JIS Japanese Industry Standard
  • the authentication device may present itself as a standard NFC Type 1 Tag. In some embodiments the authentication device may present itself as a standard NFC Type 2 Tag. In some embodiments the authentication device may present itself as a standard NFC Type 1 Tag. In some embodiments the authentication device may present itself as a standard NFC Type 2 Tag. In some embodiments the NFC Forum Technical Specifications, such as for example the NFC Data Exchange Format (NDEF) Technical Specifications, the NFC Forum Tag Type Technical Specifications (such as the NFC Forum Type 1/2/3/4 Tag Operation Specifications) and the Record Type Definition Technical Specifications (such as the NFC Record Type Definition (RTD) Technical Specification, the NFC Uniform Resource Identifiers (URI) RTD Technical Specification, and the NFC Smart Poster RTD Technical Specification).
  • NDEF NFC Data Exchange Format
  • the NFC Forum Tag Type Technical Specifications such as the NFC Forum Type 1/2/3/4 Tag Operation Specifications
  • the Record Type Definition Technical Specifications such as the NFC Record Type Definition (RTD) Technical Specification, the NFC Uni
  • the authentication device may present itself as a standard NFC Type 3 Tag. In some embodiments the authentication device may present itself as a standard NFC Type 4 Tag.
  • NFC transfer device may refer to an NFC Forum Device or other similar device that may operate in the NFC
  • NFC tag or NFC memory tag may refer to an NFC Tag as defined in the NFC Digital Protocol Technical Specification and the NFC Forum Tag Type Technical Specifications i.e. a contactless tag or (smart) card supporting NDEF over Passive Communication wherein Passive Communication is a communication mode in which one device
  • RF field Radio Frequency field
  • this second device uses load modulation (i.e., it does not generate an RF field but it draws more or less power from the RF field).
  • the authentication device (which may be further referred to as an NFC token device or NFC token) may be adapted to generate a one-time password (which may be further referred to as OTP), to present itself as an NFC tag and to populate the contents of the NFC memory tag with the generated one-time password.
  • a one-time password (which may be further referred to as OTP)
  • OTP one-time password
  • the contents of the memory tag may comprise an NDEF message comprising an NDEF record comprising the generated OTP.
  • the contents of the memory tag (which may comprise the OTP) may be read by an NFC transfer device (such as a smartphone) by the standard protocols for reading the contents of an NFC memory tag.
  • the NFC token may generate the one-time password and populate the contents of the tag with the generated OTP when the NFC token is activated by bringing it into the NFC field of the smartphone.
  • the NFC token may generate the one-time password and populate the contents of the tag on the fly upon receiving a read command from the NFC transfer device to read the memory tag contents.
  • the NFC token may be an NFC Type 4 tag and the NFC token may be adapted to generate an OTP, generate an NDEF message comprising the generated OTP and populate an NDEF file, upon receiving a ReadBinary command to read the NDEF file and before responding with the contents of the populated NDEF file.
  • the NFC token generates a new one-time password and populates the contents of the tag with the new OTP after the current contents of the tag have been read by the smartphone.
  • the NFC token may comprise one or more memory components and may be adapted to store a secret key in the one or more memory components, and the NFC token may further comprise one or more data processing components and may be further adapted to generate the OTP by cryptographically combining the stored secret key with a dynamic variable.
  • the NFC token may comprise a clock for generating a time value which the NFC token may use to determine the value of the dynamic variable for generating a time-based OTP.
  • the NFC token may store and maintain in memory an event related value that it updates upon specific events and the NFC token may use this event related value to determine the value of the dynamic variable for generating an event- based OTP.
  • the NFC token may update the event related value each time that the NFC token generates a one-time password.
  • the event related value may be a counter and updating the event related value may comprise for example incrementing (or decrementing) the counter.
  • updating the event related value may comprise the NFC token replacing the current value of the event related value by a new value that the NFC token may calculate from the current value of the event related value.
  • the NFC token may calculate the new value of the event related value for example by applying a hashing function to the current value of the event related value.
  • the smartphone and the NFC token may be configured such that when the NFC token is brought in the NFC field of the smartphone, the NFC token may be automatically activated and the smartphone may detect the presence of the NFC token (which may present itself as an ordinary standard passive NFC tag) whereupon the smartphone may read the contents of the tag containing the OTP.
  • the smartphone may automatically launch an application (such as a browser or for example a mobile banking application) associated with the tag and pass the contents of the tag to the application.
  • the contents of the tag may, in addition to an OTP, also comprise a data element identifying a user associated with the NFC token.
  • the contents of the tag may automatically provide for example User ID (user identifier) and dynamic password information to the application associated with the tag that is automatically launched by the smartphone thus providing a convenient and secure application launch and login experience to the user.
  • the contents of the tag may comprise an NDEF message and the NDEF message may comprise an NDEF record of the URI type which may comprise a URI that is parameterized with a User ID and an OTP.
  • a smartphone may launch a browser application and pass the URI (which is parameterized with the User ID and OTP) to the browser upon which the browser passes the User ID and OTP as parameters of the URI to the application server indicated by the URI thus enabling the user to be automatically logged in into the application indicated by the URI.
  • the NFC reader device reading the contents of the tag may select an application or an app based on the Record
  • the Record Type may be an External Type.
  • the application or app may for example comprise a mobile banking app.
  • the NFC token ' doesn't make an OTP available to an
  • NFC transfer device by default, but only after an explicit action of the user.
  • the NFC token may comprise a user input interface (such as a button) and the NFC token may be adapted to make an
  • OTP available only when the user has indicated by using the user input interface (e.g . by pressing the button) that the OTP should be made available.
  • the NFC token may be adapted to make a generated
  • OTP available in an NDEF record of an NDEF file and the token may be adapted to automatically generate an OTP and update the NDEF file with the new OTP value when a user has- used the user input interface to instruct the
  • the NFC token by default does not present an NFC tag to the smartphone even when it is brought in the NFC field of the smartphone.
  • the NFC token requires an explicit physical action of the user to prompt the NFC token to present itself as an NFC tag to the smartphone.
  • the NFC token may comprise a user input interface and the NFC token may be adapted to present itself as an NFC tag only when the user has indicated by using the user input interface that it should do so.
  • the NFC token may comprise an activation button and the NFC token may be adapted to present itself as an NFC tag to the smartphone after the user has pressed the activation button.
  • the NFC token may be adapted such that the NFC antenna of the NFC token may be electrically disconnected from the other components of the NFC token and the antenna may be connected to the other components of the NFC token when the user pushes the activation button upon which the NFC token may become perceivable to the smartphone as an NFC tag.
  • the contents of the NFC tag (which may comprise an OTP and User ID) only become accessible for read out when the user explicitly pushes the activation button thus preventing surreptitious reading out of the OTP and user id by some rogue application without the user being aware of it.
  • This also has the additional advantage that the user does not need to move the NFC token out and back into the NFC field to activate the NFC token, let the NFC token generate a new OTP and force the smartphone to read the contents of the NFC tag again. This means that the user can keep the NFC token
  • the activation button may allow the user to launch an application and to securely login into the application with just one push on the activation button of the NFC token.
  • the NFC token may be adapted to generate an OTP or a signature by cryptographically combining a secret key stored in the NFC token with a dynamic variable that is based on external data that the NFC token may receive from the smartphone.
  • the terminology dynamic credential as used in this description may refer to an OTP or a signature that is generated by cryptographically combining a secret key with a dynamic variable that is based on external data may also be referred.
  • the external data may for example comprise a challenge (which may be provided by an application) or transaction data.
  • the smartphone may transfer these external data to the NFC token by using the standard mechanism for updating the contents of an NFC memory tag.
  • the smartphone or other device which may comprise an NFC transfer device, may update an NDEF record in an NDEF file of the NFC token with the external data.
  • the NFC token may generate for example the response to the received challenge or the signature over the transaction data after receiving the external data comprising for example the challenge or the transaction data.
  • the NFC token may be adapted to update the contents of the memory tag with the generated response or signature.
  • the NFC token disconnects and reconnects the memory tag that it presents to the smartphone to prompt the smartphone to read the updated contents of the memory tag.
  • the NFC token may be adapted to stop presenting itself during a certain period as an NFC tag after it has received the external data. After that period the NFC token may again present itself as an NFC tag the NDEF file of which the NFC token may have updated with a signature that the NFC token has in the meantime generated over the external data.
  • the period that the NFC token is thus not visible to the NFC transfer device or smartphone as an NFC tag may be less than 2 seconds. In some embodiments this period of time is less than 1 second. In some embodiments this period of time is less than 0.5 seconds.
  • this period of time is less than 0.1 seconds. In some embodiments this period of time is the minimum period of time that must elapse between the removal and the (re)insertion of an NFC tag in the near field of an NFC transfer device to guarantee that the NFC transfer device will notice that an NFC tag has been removed and then presented again.
  • the NFC token may be adapted to put the generated response or signature in another part of the tag contents than an OTP that is not based on external data.
  • the smartphone may include a session id in the external data that it writes to the NFC token and the NFC token may include this session id along with the generated response or signature with which it updates the memory tag.
  • the NFC token may comprise the generated response or signature, and optionally also the session id or a user id or another identifying data element, in a memory tag that is associated with a specific helper application that is adapted to forward data comprised in that memory tag (e.g., the generated response or signature and optionally a session id, user id or other identifying data element) to a verification server associated with the mobile application being accessed by the user.
  • a specific helper application that is adapted to forward data comprised in that memory tag (e.g., the generated response or signature and optionally a session id, user id or other identifying data element) to a verification server associated with the mobile application being accessed by the user.
  • a first application or app on the NFC transfer device or smartphone may update the memory tag with external data.
  • the NFC token may use these external data to generate a dynamic credential and update the contents of the memory tag (e.g. by updating an NDEF record in an NDEF message in an NDEF file of the NFC token) with the generated dynamic credential.
  • the NFC transfer device or smartphone may then read the updated contents and pass the updated contents that it has read to a second application or app on the NFC transfer device that the NFC transfer device may have selected on the basis of information in the updated contents that is has read (such as for example the NDEF type of an NDEF record in the NDEF message).
  • the NFC token may comprise a signature button and may require the user to push the signature button to generate the signature and/or make the signature available to be read by the smartphone or the NFC transfer device.
  • the signature button may be the same as the activation button for generating an OTP. In some embodiments the signature button may be a different button than the activation button.
  • the NFC token may comprise a user output interface
  • the NFC token may be adapted to present the external data to be signed to the user and wait for the user to approve the presented external data before generating the signature and/or making the signature available to be read by the smartphone or the NFC transfer device.
  • the NFC token may be adapted to capture the user's approval of the external data by the user input interface.
  • the NFC token may be adapted to capture the user's rejection of the external data by the user input interface, and the NFC token may be adapted to communicate the user's rejection by updating the contents of the memory tag accordingly (e.g. by including an indication of the rejection in an NDEF record of an NDEF message of an NDEF file of the NFC token).
  • the NFC token may have an activation button for the user to indicate approval and a rejection button for the user to indicate rejection.
  • the NFC token may be adapted to verify a Personal
  • Identification Number PIN and/or a password and may require that a correct PIN and/or password is provided to generate for example a signature or a response to external data.
  • the user may enter the PIN and/or password of the NFC token on the smartphone and the smartphone may provide the PIN and/or password to the NFC token for example together with or as part of the external data.
  • the PIN or password to be verified may be communicated by an NFC transfer device (e.g., NFC transfer device within a smartphone) to the NFC token by the NFC transfer device updating an NDEF record in an NDEF file of the NFC token.
  • NFC transfer device e.g., NFC transfer device within a smartphone
  • the NFC token may comprise one or more memory components and may be adapted to store a PIN reference value and/or a password reference value in the one or more memory components and the NFC token may be adapted to verify a PIN and/or a password that it has received from for example the smartphone by comparing the received PIN and/or password with the stored PIN reference value and/or password reference value.
  • the PIN may comprise a string of decimal digits.
  • the password may comprise a string of alphanumerical characters.
  • the NFC token may be adapted to verify a biometric measurement of the legitimate user and may require that a correct biometric of the legitimate user associated with the NFC token is provided to generate for example a signature or a response to external data.
  • the smartphone may capture a biometric measurement of the user (e.g. by using a biometric sensor on the smartphone) and the smartphone may provide the biometric measurement to the NFC token for example together with or as part of the external data.
  • the NFC token may comprise one or more memory components and may be adapted to store biometric reference data in the one or more memory components and the NFC token may be adapted to verify a biometric measurement that it has received from for example the smartphone by comparing the received biometric
  • the NFC token may be bound to a particular NFC
  • the NFC reading device and the NFC token may be bound the first time the NFC token is used with the NFC transfer device. In some embodiments the binding is done using a binding secret that is shared by the NFC token and the NFC reading device. In some embodiments the NFC transfer device may receive the value of the binding secret from the user. In some embodiments the NFC reading device may receive the value of the binding secret once (e.g . the first time the NFC token is used with that NFC transfer device) and may store the value of the binding secret for future use. In some embodiments the NFC token may require that a correct value for the binding secret is provided to the NFC token (e.g.
  • the NFC reading device may use the binding secret with a cryptographic algorithm to generate a cryptographic binding value and the NFC transfer device may provide the generated binding value to the NFC token (e.g. in the same way that a PIN or password value may be provided as described above) and the NFC token may verify whether the binding value is cryptographically correct and the NFC token may use the cryptographic correctness of the binding value as a condition to generate a dynamic credential.
  • the NFC token may have a form factor that allows the NFC token be easily fixed in a permanent or semi-permanent way to an access device comprising an NFC reading device (e.g., smartphone) such that the NFC token remains fixed to the access device until explicit action is taken by a user to detach the NFC token (or an object comprising the NFC token) from the access device.
  • the NFC token may comprise an adhesive part that allows the NFC token to be stuck or glued to the access device.
  • the NFC token may have a thickness of maximally 2 mm. In some embodiments the NFC token may have a thickness of maximally 1 mm.
  • the NFC token may have a width of maximally 54 mm and a length of maximally 86 mm. In some embodiments the NFC token may have a width and a length of maximally 3 cm. In some embodiments the NFC token may be comprised in a sticker that may be attached to a smartphone. In some embodiments the NFC token may be comprised in for example a shell or protective cover of a smartphone. In some embodiments the NFC token may be portable. In some embodiments the NFC may have a weight of less than 10 gram.
  • the NFC token may comprise an autonomous electrical energy source for powering the NFC token for example when it can't get (sufficient) electrical power from the NFC field of a smartphone or other device comprising an NFC transfer device.
  • the autonomous electrical energy source may be rechargeable.
  • the NFC token may be adapted to recharge the autonomous electrical energy source using energy captured from the NFC field of the smartphone or other device comprising an NFC transfer device.
  • the NFC token may comprise a battery.
  • the battery may be rechargeable.
  • the NFC token may be adapted to recharge the battery using energy captured from the NFC field of the smartphone or other device comprising an NFC transfer device.
  • the NFC token may comprise a capacitor for providing electrical energy to the electronics of the NFC token.
  • the NFC token may be adapted to recharge the capacitor using energy captured from the NFC field of the smartphone or other device comprising an NFC transfer device.
  • Figure 1 schematically illustrates an exemplary apparatus according to an aspect of the invention.
  • Figure 2 schematically illustrates an exemplary system according to an
  • Figure 3 is a flow chart illustrating steps of a method for securing interaction of a user with an application in accordance with aspects of the invention. Detailed description
  • Figure 1 schematically illustrates an exemplary apparatus (100) of the
  • the apparatus (100) may comprise any of the authentication devices and/or NFC tokens described elsewhere in this description.
  • the illustrated apparatus comprises: an NFC antenna/interface (110), one or more memory components (120) for storing a secret key and for storing (at least temporarily) the contents of an NFC memory tag, one or more data processing components ( 130), an activation button (140), and a signature button (150).
  • the apparatus may be adapted to generate an OTP and/or a signature or response to external data and to function as an NFC token described above.
  • the apparatus may be adapted to present itself as an NFC memory tag to a smartphone (or other device comprising an NFC transfer device).
  • the apparatus may be adapted to generate a one-time password using the secret key stored in the one or more memory components and the apparatus may be adapted to populate or update the contents of the memory tag such that it includes the generated one-time password.
  • the apparatus is adapted to enable the read-out of the contents of the memory tag comprising the one-time password using a standard NFC memory tag read operation.
  • the one or more data processing components may be adapted to generate the one-time password. In some embodiments the one or more data processing components may be adapted to perform
  • the cryptographic calculations may comprise for example performing a symmetric cryptographic algorithm parameterized with the secret key and using the dynamic variable.
  • this symmetric cryptographic algorithm may comprise a symmetric
  • encryption/decryption algorithm such as AES (Advanced Encryption Standard) or may comprise a keyed hashing algorithm such as HMAC (Hash-based
  • the apparatus may comprise a clock (160) for
  • FIG. 2 schematically illustrates an exemplary system (200) according to an aspect of the invention.
  • the system may comprise: an NFC token (210), a client device (220), and an application server (230) .
  • the NFC token (210) may comprise any of the NFC tokens described elsewhere in this description.
  • the client device (220) may comprise a personal
  • the client device may comprise a smartphone (or other device comprising an NFC transfer device such as a tablet).
  • the client application may be adapted to be operated by and to interface with a user (240).
  • the client device may comprise a user output interface (such as a display) for presenting information to the user.
  • the client device may comprise a user input interface (such as a keyboard or touch screen) to receive inputs or information from the user.
  • the client device may be adapted to run a client application or a client app that the user may use to interact with an application e.g. by using the user input interface and the user output interface of the client device.
  • the client application of client app may comprise a web browser to interact with a web-based application.
  • the application server (230) may comprise one or more computers.
  • the application server may be adapted to host a server part of the application.
  • the application may for example comprise a web banking application.
  • the client device and the application server may be connected over a computer network (250) and/or a telecommunications network (250) such as for example the internet and/or a wireless data and/or telephone network.
  • Figure 3 depicts a flow chart 300 of steps for securing interaction of a user with a computer based application in accordance with an aspect of the invention.
  • a dynamic credential is generated by an authentication device.
  • the dynamic credential may be generated by authentication device 100.
  • the authentication device includes a Near-Field Communication (NFC) interface to couple the authentication device to an NFC transfer device (e.g., of an access device such as client device 220).
  • NFC Near-Field Communication
  • the authentication device 100 may generate the dynamic credential (e.g., using data processing component 130) by cryptographically combining a first value of a first dynamic variable with a secret key that is stored in the authentication device 100 (e.g., in memory 120).
  • the secret key in the authentication device 100 may be shared with an application server (e.g., application server 230) that hosts a server part of the computer based application.
  • the authentication device 100 presents itself to the NFC transfer device as an NFC tag.
  • the dynamic credential is made available by the authentication device to an NFC transfer device.
  • the NFC transfer device may be a device capable of communication via NFC (e.g., client device
  • the authentication device may make the dynamic credential generated (e.g., at step 310) available to the NFC transfer device by including the dynamic credential in first data contents of the NFC tag that can be read by the NFC transfer device using NFC mechanisms for reading data contents of NFC tags.
  • an access device obtains the dynamic credential.
  • the access device may be a device such as a smartphone that comprises the NFC transfer device.
  • the access device may be connected to the application server that hosts the server part of the computer based application by a computer network.
  • the access device may obtain the dynamic credential by extracting the dynamic credential from the data contents of the NFC tag that the NFC transfer device reads using the NFC mechanisms for reading data contents of NFC tags.
  • the access device forwards the dynamic credential to the
  • application server and the application server receives the dynamic credential, which was generated by the authentication device and obtained by the access device.
  • the application server verifies the received dynamic credential.
  • the application server may be configured to verify the dynamic credential for example by determining the value of the dynamic variable used to create the dynamic credential and by using the secret key that is shared with the authentication device e.g. to generate a reference value that may then be compared to the received dynamic credential.
  • a user is allowed to access the computer based application using the access device. The user may be allowed to access the computer based application responsive to the application server verifying the received dynamic credential.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephone Function (AREA)
PCT/US2014/072102 2013-12-31 2014-12-23 A method and apparatus for securing a mobile application Ceased WO2015103031A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
JP2016544601A JP6556145B2 (ja) 2013-12-31 2014-12-23 モバイルアプリケーションの安全性を確保する方法および装置
KR1020167020999A KR101706173B1 (ko) 2013-12-31 2014-12-23 모바일 애플리케이션을 보안하기 위한 방법 및 장치
CN201480074247.6A CN106233689B (zh) 2013-12-31 2014-12-23 用于保护移动应用的方法和设备
EP14827678.5A EP3090521B1 (en) 2013-12-31 2014-12-23 A method and apparatus for securing a mobile application

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361922215P 2013-12-31 2013-12-31
US61/922,215 2013-12-31

Publications (1)

Publication Number Publication Date
WO2015103031A1 true WO2015103031A1 (en) 2015-07-09

Family

ID=52350373

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/072102 Ceased WO2015103031A1 (en) 2013-12-31 2014-12-23 A method and apparatus for securing a mobile application

Country Status (6)

Country Link
US (1) US9510192B2 (enExample)
EP (1) EP3090521B1 (enExample)
JP (2) JP6556145B2 (enExample)
KR (1) KR101706173B1 (enExample)
CN (1) CN106233689B (enExample)
WO (1) WO2015103031A1 (enExample)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140357187A1 (en) * 2011-09-08 2014-12-04 Yubico Inc. Devices and Methods for Identification, Authentication and Signing Purposes
JP2018534706A (ja) * 2015-09-21 2018-11-22 ワンスパン インターナショナル ゲゼルシャフト ミット ベシュレンクテル ハフツング マルチユーザ厳密認証トークン
JP2019506789A (ja) * 2015-12-30 2019-03-07 ワンスパン インターナショナル ゲゼルシャフト ミット ベシュレンクテル ハフツング パスコード検証のためのフォワードセキュア型暗号技術を使用した方法、システム、及び装置。

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2516686B (en) * 2013-07-30 2018-02-07 Paxton Access Ltd Communication method and system
EP3090521B1 (en) * 2013-12-31 2020-04-01 OneSpan International GmbH A method and apparatus for securing a mobile application
US11328797B2 (en) * 2014-11-19 2022-05-10 Imprivata, Inc. Location-based healthcare collaboration, data management and access control
US20160261588A1 (en) * 2015-03-04 2016-09-08 Tapcentive, Inc. Secure nfc token supporting escalating authentication of nfc exchanges
KR200478493Y1 (ko) * 2015-04-09 2015-10-14 (주)예원조경건설 스마트 안내표지판
US9998181B1 (en) * 2015-04-09 2018-06-12 Cellotape, Inc. Method, system and apparatus for selectively accessing content at a device
US10817593B1 (en) * 2015-12-29 2020-10-27 Wells Fargo Bank, N.A. User information gathering and distribution system
SG10201600192TA (en) * 2016-01-11 2017-08-30 Mastercard Asia Pacific Pte Ltd A Method For Dynamic Authentication Of An Object
FR3049414A1 (fr) * 2016-03-25 2017-09-29 Orange Enregistrement de service dans un reseau local
CN105915541A (zh) * 2016-06-07 2016-08-31 惠州Tcl移动通信有限公司 基于nfc的移动终端密码保存与恢复处理方法及系统
US20230360023A1 (en) * 2016-06-15 2023-11-09 Capital One Services, Llc Techniques to process contactless card functions in a multiple banking system environment
KR102526959B1 (ko) * 2016-10-27 2023-05-02 삼성전자주식회사 전자 장치 및 그의 동작 방법
JP2019067348A (ja) * 2017-10-02 2019-04-25 聡子 荻原 ワンタイムパスワード自動送信機
EP3502998A1 (en) * 2017-12-19 2019-06-26 Mastercard International Incorporated Access security system and method
CN108810836B (zh) 2018-06-12 2020-06-16 飞天诚信科技股份有限公司 一种向用户提供近场通信设备信息的方法及系统
EP3582166A1 (en) * 2018-06-15 2019-12-18 Thales Dis France SA Method and system to create a trusted record or message and usage for a secure activation or strong customer authentication
EP3671498B1 (fr) * 2018-12-20 2023-08-09 EM Microelectronic-Marin SA Procede d'authentification securisee d'un transpondeur en communication avec un serveur
DE102019108049A1 (de) * 2019-03-28 2020-10-01 Pilz Gmbh & Co. Kg Zugriffssteuerungssystem zur Steuerung eines Zugriffs eines Nutzers auf eine oder mehrere Betriebsfunktionen einer technischen Anlage
US11521213B2 (en) * 2019-07-18 2022-12-06 Capital One Services, Llc Continuous authentication for digital services based on contactless card positioning
US11455617B2 (en) * 2019-10-04 2022-09-27 Visa International Service Association Type 4 NFC tags as protocol interface
US11432149B1 (en) 2019-10-10 2022-08-30 Wells Fargo Bank, N.A. Self-sovereign identification via digital credentials for selected identity attributes
US10733283B1 (en) * 2019-12-23 2020-08-04 Capital One Services, Llc Secure password generation and management using NFC and contactless smart cards
JP7669029B2 (ja) * 2021-04-12 2025-04-28 株式会社アクアビットスパイラルズ アクション制御システム、アクション制御サーバ及びアクション制御方法
SE544638C2 (en) * 2021-06-07 2022-10-04 Total Security Stockholm Ab System and method for taking an access control decision based on a virtual key
CN115695064A (zh) * 2021-07-28 2023-02-03 佛山市顺德区美的电子科技有限公司 一种家电设备配网方法、配网装置和家电设备
CN115278630A (zh) * 2022-07-29 2022-11-01 上海千随信息技术有限公司 基于近场通信的信息交互方法、装置、系统及存储介质
US20240346130A1 (en) * 2023-04-11 2024-10-17 Capital One Services, Llc Random password generation and update for digital service authentication
US20240381080A1 (en) * 2023-05-10 2024-11-14 Capital One Services, Llc Systems and methods for secure authentication information retrieval
TWI875546B (zh) * 2024-03-28 2025-03-01 奧圖碼股份有限公司 顯示裝置、顯示系統及解除顯示裝置鎖定狀態的方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010043974A1 (en) * 2008-10-16 2010-04-22 Christian Richard System for secure contactless payment transactions
WO2013034681A1 (en) * 2011-09-08 2013-03-14 Ehrensvaerd Jakob Devices and methods for identification, authentication and signing purposes

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7791451B2 (en) * 2006-10-17 2010-09-07 International Business Machines Corporation Methods, systems, and computer program products for providing mutual authentication for radio frequency identification (RFID) security
US8494959B2 (en) * 2007-08-17 2013-07-23 Emc Corporation Payment card with dynamic account number
WO2009039419A1 (en) * 2007-09-21 2009-03-26 Wireless Dynamics, Inc. Wireless smart card and integrated personal area network, near field communication and contactless payment system
WO2009077664A1 (fr) * 2007-09-27 2009-06-25 Inside Contactless Procédé et dispositif de gestion de données d'application dans un système nfc
EP2369811B1 (en) * 2008-11-04 2016-03-23 SecureKey Technologies Inc. System and methods for online authentication
US8412928B1 (en) * 2010-03-31 2013-04-02 Emc Corporation One-time password authentication employing local testing of candidate passwords from one-time password server
US8453226B2 (en) * 2010-07-16 2013-05-28 Visa International Service Association Token validation for advanced authorization
JP2012073955A (ja) * 2010-09-29 2012-04-12 Fujitsu Ltd 送受信体及び認証システム
US20120167194A1 (en) * 2010-12-22 2012-06-28 Reese Kenneth W Client hardware authenticated transactions
US8789146B2 (en) * 2011-04-14 2014-07-22 Yubico Inc. Dual interface device for access control and a method therefor
EP2680526A1 (en) * 2012-06-26 2014-01-01 Certicom Corp. Methods and devices for establishing trust on first use for close proximity communications
US9594896B2 (en) * 2012-12-21 2017-03-14 Blackberry Limited Two factor authentication using near field communications
US9104853B2 (en) * 2013-05-16 2015-08-11 Symantec Corporation Supporting proximity based security code transfer from mobile/tablet application to access device
EP3090521B1 (en) * 2013-12-31 2020-04-01 OneSpan International GmbH A method and apparatus for securing a mobile application

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010043974A1 (en) * 2008-10-16 2010-04-22 Christian Richard System for secure contactless payment transactions
WO2013034681A1 (en) * 2011-09-08 2013-03-14 Ehrensvaerd Jakob Devices and methods for identification, authentication and signing purposes

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140357187A1 (en) * 2011-09-08 2014-12-04 Yubico Inc. Devices and Methods for Identification, Authentication and Signing Purposes
US9954578B2 (en) * 2011-09-08 2018-04-24 Yubico Inc. Devices and methods for identification, authentication and signing purposes
JP2018534706A (ja) * 2015-09-21 2018-11-22 ワンスパン インターナショナル ゲゼルシャフト ミット ベシュレンクテル ハフツング マルチユーザ厳密認証トークン
JP2019506789A (ja) * 2015-12-30 2019-03-07 ワンスパン インターナショナル ゲゼルシャフト ミット ベシュレンクテル ハフツング パスコード検証のためのフォワードセキュア型暗号技術を使用した方法、システム、及び装置。

Also Published As

Publication number Publication date
CN106233689B (zh) 2019-09-20
JP2019083536A (ja) 2019-05-30
JP2017503427A (ja) 2017-01-26
JP6629952B2 (ja) 2020-01-15
US9510192B2 (en) 2016-11-29
JP6556145B2 (ja) 2019-08-07
CN106233689A (zh) 2016-12-14
KR101706173B1 (ko) 2017-02-27
EP3090521A1 (en) 2016-11-09
EP3090521B1 (en) 2020-04-01
US20150189505A1 (en) 2015-07-02
KR20160128997A (ko) 2016-11-08

Similar Documents

Publication Publication Date Title
US9510192B2 (en) Method and apparatus for securing a mobile application
US10177816B2 (en) Devices and methods for identification, authentication and signing purposes
US9594896B2 (en) Two factor authentication using near field communications
US9740847B2 (en) Method and system for authenticating a user by means of an application
US11539399B2 (en) System and method for smart card based hardware root of trust on mobile platforms using near field communications
KR20170039672A (ko) 장치에 대해 클라이언트를 인증하기 위한 시스템 및 방법
JP2010539813A (ja) 追加要素での移動体装置のアップデート
JP2015517151A (ja) モバイルウォレットに関連する変更を検出および管理するシステム、方法、およびコンピュータプログラム製品
CN113711560A (zh) 用于有效质询-响应验证的系统和方法
WO2012155620A1 (zh) 一种进行近场通信安全性保护的方法及移动通信终端
JP2016500173A (ja) モバイル装置および電源付きディスプレイカードを用いた、安全な遠隔アクセスおよび遠隔支払いのためのシステムおよび方法。
CN107067250A (zh) 用于执行支付的方法和装置
CN111512618A (zh) 发送和接收包括表情符号的消息的电子设备以其控制方法
CN110876144B (zh) 一种身份凭证的移动应用方法、装置及系统
CA2836890C (en) Two factor authentication using near field communications
WO2014140426A1 (en) Multi-factor authentication techniques
KR20070020772A (ko) 무선단말기 번호를 이용한 금융거래 처리방법 및 시스템과이를 위한 금융거래 처리장치와, 금융거래 단말장치와,단말 장치와 기록매체
KR20120080555A (ko) 모바일 일회용코드를 이용한 거래 방법
CN108665267A (zh) 安全认证装置及系统
KR20070021580A (ko) 금융거래 처리방법 및 시스템과 이를 위한 금융거래처리장치와, 금융거래 단말장치와, 단말 장치와 기록매체
JP2019079293A (ja) 携帯端末へのサービスアプリケーション発行システムおよびサービスアプリケーション発行方法
KR20120079043A (ko) 모바일 일회용코드를 이용한 금융거래 처리 방법
CN106941615B (zh) 一种支付方法、机顶盒及系统
KR20100068130A (ko) 인덱스 교환을 통한 일회용 인증 방법 및 시스템과 이를 위한 기록매체
Kunning Strong Authentication Protocol using PIV Card with Mobile Devices

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14827678

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2016544601

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2014827678

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014827678

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 1020167020999

Country of ref document: KR