ARM Community: Strong User Authentication for Smart Mobile Devices - ARM Community

As our Smart Mobile Devices become the center of our personal life and our personal information, user authentication will become a key feature to securing our personal information and access to services.

Authentication is the method by which a user is identified by something he has (a token), something he is (a biometric) or something he knows (a PIN or password). A combination of two is called two-factor authentication and Chip&PIN is a well known example.

Username and Password is a single factor authentication method that has grown up with the internet and computing in general. I’d be reminded of it at least five times a day if I started my laptop from cold every morning instead of putting it on standby at night. 1 – Authenticate full hard disk encryption. 2 – Login to Windows. 3 – Login to Wi-Fi access service. 4 – Login to corporate VPN. 5 – Login to email. And that’s just to start a day’s work. If I want to login to my bank’s service I have to remember a different set of usernames and passwords that are different from the company’s (corporate policy). Then there’s all the other personal websites that I want to have different passwords from my bank site. I have trouble remembering them all which means quite often I’ll pick the wrong password and then I will be asked to squint at a strange pattern and see if there are any words there (to stop rogue machines performing automated password attacks) and if I’m really unlucky the service which I’m trying to access will shut down and I have to pick up the phone to re-activate it. Usernames and passwords are human-readable and “supposed” to be easy to remember but difficult to guess; which is exactly the problem I’m running into!

If a cryptographically secure certificate or token were downloaded to my device, that would give my device an extra means of authentication. The challenge is to only allow that token to log me in if the password I have entered is correct. For that we need to ensure that only my fingers tapping the right combination of letters and numbers on my keypad can unlock the token to be used to log me in to a service; not the latest application that is pretending to be my bank. Operating systems are open to all kinds of software attack, it’s difficult to keep these tokens in a safe place.

TrustZone provides a trusted hardware environment that can capture data directly from the keypad of a device in a secure way and pass it straight to trusted software where it can be immediately encrypted. By allowing each service provider to encrypt the password with their own keys, no two passwords would ever appear the same.

By using such strong authentication on a mobile device, remote payment transactions can approach the same level of authentication as card-holder present transactions. This means that transactions are less risky and therefore less likely to be fraudulent. Enterprises can make remote worker access a whole lot more convenient and secure. Convenience AND Security is possible!

Have I missed anything about authentication?

Rob Brown, Secure Solutions Segment Marketing, ARM. Rob joined ARM in 2005 to drive design wins in the Smart Card segment. He is now responsible for directing ARM security market strategy and business development which includes ARM products such as TrustZone and SecurCore, external partnerships and supporting industry activity. Prior to joining ARM he worked for 8 years in the RFID sector in start-up companies and silicon IP providers for NFC and played an active role in the in defining the support for the NFC Forum Type 1 tag. He holds a Bachelors degree in Electronic Engineering from the University of Manchester. He is a certified payments geek and is waiting impatiently for the first devices that can make payments faster and easier to use. He looks forward to the day when he can buy whatever he wants from whoever’s got it, wherever they are with a single click.