How can mobile credentials be secured?

Users benefit from the convenience of mobile credentials. However, there is always an underlying potential threat toward personal privacy and data breaches. Therefore, what matters the most to users is still security — how to make mobile credentials secure and prevent cyberattacks on mobile IDs. As the users’ information is digitized and made available on the cloud and vendors’ servers, data security and personal privacy issues have become major concerns. For instance, QR Code related implementation usually involves device, vendor’s app and vendor’s backend service that might become vulnerable points to attack.

Leo Zhang, Senior Threat Researcher at Trend Micro, said, “Because mobile credentials usually link to personal information, users are worried about privacy issues and data security.” Trend Micro takes QR codes as an example. “App vendors may store users’ personal information so it’s important to prevent them from abusing this. In addition, the vendors’ apps may be vulnerable to attack. It depends on the app vendors’ capabilities to protect the users’ private data from being leaked.”

Securing the Data 

It’s important to help safeguard access to personal data via end-to-end encryption implementation. This can be done by making sure that the data on backend servers is fully protected, and it’s stored and communicated in an encrypted and secure format on mobile devices.

Zhang added that all information should be computed only in Trustzone, a hardware-based security built into system on chip (SoC). This is to prevent vendors from collecting user information and on-device malware stealing that information. Also, communication should be fully encrypted to make sure that the data is protected when in motion.

To further secure data transmission, Lee Odess, COO at UniKey Technologies, suggests the implementation of public key infrastructure (PKI) for access control systems. “Along with a strong PKI, access control systems should treat each user and device interaction as unique and as such should have a unique shared secret in order to guard communication from replay attacks.”

As cyberattacks are an increasing concern. Ryan Zlockie, Global VP of Authentication at Entrust Datacard, indicated, “The best practice we follow is to leverage a certificate based identity credential that cannot be altered, transferred to another device or in any other way modified without invalidating the credential.”
 

Gemalto introduced hardware and software token approaches to secure mobile IDs from cyberattacks. “The hard token refers to the embedded SIMs that is soldered into the mobile device. These eSIMs are tamper-resistant environments, making them hard to compromise for hackers. The soft token refers to a mobile app or software installed on the device providing multiple in-app security features like strong user authentication mechanism, protection of app integrity, protection against reverse engineering, and encryption,” Manoj Kumar Rai, Head of Marketing and Business Development for Mobile Services and IoT Solutions in South Asia and Japan at Gemalto, explained. He recommended a layered approach to secure mobile credentials stored either on the hardware or in the cloud.

Securing the Mobile Credential

People are also very concerned about losing their phones which can be then taken advantage of by criminals to gain access to their home or office properties. To make sure the correct person is in possession of a phone, Gaoping Xiao, Director of Sales, APAC at AMAG Technology, suggested adding biometric authentication like fingerprint, facial, eye and voice biometrics or a pin code to verify the user’s identity.

One concern that some users have is the security of a mobile credential. If the mobile phone is lost, there is potential risk that someone finds that credential and uses it to gain access. Melissa Stenger, VP for Product Management and Marketing at ISONAS, indicated, “With a typical physical badge, you can recycle the badge ID by removing it from one user and assigning it to another user. With the mobile credential, the badge information is specific to the mobile phone hardware and cannot be re-used, eliminating the ability for credentials to be given to others.”

To secure mobile credentials, Stenger suggests to implement unique session keys to makes them nontransferable from one phone to the next. To secure mobile IDs, Wayne Jared, VP of Engineering at 3xLOGIC, suggested that users are required to use a pin or biometrics method as a kind of dual factor authentication when they unlock their phones. It prevents unwanted people from gaining physical access to the phone. “From a system design perspective, a mobile credential app should not store anything on the phone that can be used elsewhere,” he added.

Additional Protection

Multi-factor authentication factors can also be applied to strengthen verification. Jared indicated that using location services such as GPS ensures the device is near the door when the user is requesting access to the building.

Zlockie indicated, “The best practice we follow is to look at deploying an adaptive authentication security layer with fraud detection capabilities to analyze a significant amount of information about the device, location, and other unique aspects occurring at the time of the authentication, which can be completely transparent to the user. For lower or medium security events, adaptive authentication may be enough, and for higher security events, you can combine authentication with biometrics as an added layer.” The approaches can be used at the time of provisioning and during a transaction, and applied to access control as well.

Biometrics involves unique biological input that is hard to change unlike a password. To provide enhanced levels of security, the adoption of biometrics like fingerprint is one of the most popular methods to add another layer of authentication.

Rob Martens, Futurist and VP of Strategy and Partnerships at Allegion, pointed out that “Biometrics don’t necessarily make things more secure by themselves. Layered intelligently in an access control solution, they can remove friction from the user experience and enhance the overall level of security by adding more unique, secure variables without burdening the user.”

Gait-based authentication, which looks at a person’s manner of walking, can be used as a unique authentication method. Odess said, “When it comes to biometrics, we also think about how a person walks or their natural gait. No two people walk the same way, and not one person will have the same mobile credential as another, adding an additional layer of unique security.”