Evolution of Mobile Identity

Mobile identity management is in its infancy. GSM networks, for example, provide management of SIM identities as a kind of mobile identity management, but they do not meet all the requirements for a complete Mobile identity management.

Unlike static identity, already implemented in Web 2.0 identity, dynamic aspects, such as the user’s position or the temporal context, gain increasingly importance for new kinds of mobile applications.[35]

Mobile identity (MId) infrastructure solutions have evolved over time and can be classified into three solutions. The first proposed solution is just an extension of wired identity management to mobile Internet. This is the widespread solution, which is limited to the users of mobile devices running the same operating system as wired solution. This limitation is expected to evolve over time mainly with the large deployment of Web services. Some specifications, such as Liberty Alliance specifications, have been developed for identity management including mobility.

However, several limitations are observed when the MId system is derived from fixed context. These limitations are principally due to the assumptions during their design and they do not match well with extra requirement of mobility [1].

Many improvements such as interoperability, privacy and security are to be operated and also older centralized PKI must be replaced by modern trust management system or at least a decentralized PKI. The second solution is capable of providing an alternative to the prevalent Internet derived MId infrastructure consisting of either connected (Cellular phones) or unconnected (Smartcards) mobiles devices.

The third one consists of using implantable radio frequency identity (RFID) devices. This approach is expected to increase rapidly even if the market penetration is smaller than cellular phones.

In addition, the sensitivity risk of data related to different applications and services are seldom at the same level and the number of identifiers used by a person is in constant increasing. Thus, there is a real need of different kind of

credentials associated with different kind of applications. Indeed, a tool at the user side capable of managing the credentials and identifies is inevitable. With the increasing capacity of CPU power and the spreading number of mobile phone with a SIM card, mobile phones can be considered as a Personal Authentication Device (PDA). They can hold securely the users’ credentials, password and even identities.

Thereby, we introduced a new efficient Identity management device at the user side able to facilitate the memorization in one hand, and strengthen the security by limiting the number of passwords and their weakness in other hand. All wired identity management can be deployed using PDA. In addition, many different authentication architectures become possible and easy to implement such as dual channel authentication.

4.4.1 PDA as Solution to Strong Authentication

PDA is a tamper-resistant hardware device which could include smart card and sensors or not. As it is used for authentication it is called a personal authentication device (PDA) [42]. This term has been early used in the context of security by Wong and al. [43]. The approach is the same and the only thing change so far is the performance of the mobile device has radically changed. This is the opportunity to emphasis the user centricity as the PDA could strengthen the user experience and to facilitate the automation and system support of the identity management at the user side. The Fig.22 illustrated the combination of PDA and silo model. The user stores his/her identity in the PDA. Whenever he/she would like to connect to a Service provider

a. he/she authenticates her/himself with a PIN code to use the PDA.

b. the user choose the Password to be used for his/her connection to the specific service provider

c. the user launch and log to the specific service provider by entering his/her Username and the Password.

Fig. 22. Integration of PDA in silo model

The PDA is a good device to tackle the weakness and non-convenience of password authentication due to its Thereby, we have a user friendly and user centric application and even introducing stronger authentication. The fundamental advantage of PDA comparing with common PC using common operating systems such as windows or linux is that PDA has a robust isolation of processes.

Therefore, compromising one application does not compromise all the applications.

This advantage is becoming less important for mobile phone as flexibility is introduced by manufacturers a lot of vulnerabilities is also introduced. We have seen many viruses for mobile phones and even nowadays we have viruses for RFID. This vulnerability can compromise authentication and even biometrics authentication. That’s why we should be very vigilant in implementing security in PDA devices. An ideal device is the USB stick running a standalone OS, and integrating a biometric reader and mobile network access. A can find some of them with fingerprint reader for a reasonable price.

Two main categories can group many authentication architectures that could be implemented in a PDA. There are single and dual channel authentications.

Thereby, the cost, the risk and the non-convenience could be tackled at the same time.

Fig. 23. Single channel authentication

Fig.23 illustrates the principle of single channel authentication which is the first application of the PDA. In Fig.25 the second principle of double channel authentication which is more secure as the

Fig. 24. Dual channel authentication

4.4.2 Different Kinds of Strong Authentication through a Mobile PDA

The mobile network mainly GSM can help to overcome a lot of security vulnerabilities such as phishing or man-in-the-middle. It attracts all business that would like to deploy double channel authentication but are worry about cost and usability. The near-ubiquity of the mobile network has made feasible the utilization of this approach and even being adopted by some banks.

a. SMS based One-Time Password (OTP)

The main advantages in mobile network are the facility and usability to send and receive SMSs. Moreover, they could be used to setup and download easily Java

program to the mobile device. In addition, mobile devices are using smart card that can securely calculate and store claims. The cost is minimized by adopting a mobile device using SMS to receive OTP instead of a special hardware that can generate OTP.

The scenario implemented by some banks is illustrated in Fig.26 and it is as follow:

First of all, the user switches his/her mobile phone and enters his PIN code then a. The user log into his online account by entering his/her Username and

Password (U/P).

b. The Web site received the couple U/P.

c. The server verifies the couple d. Send a SMS message with OTP e. The user reads the message

f. The user enters the OPT into online account g. The server verify the OPT and give access

d

Fig. 25. Scenario of SMS double channel authentication

The problem of this approach is the fact that the cost is assumed by the service provider. In addition, some drawbacks are very common mainly in some developing countries such as lack of coverage and SMS latency. Of course, the attack of the man-in-the-middle is not overcome by this approach.

b. Soft Token Application

In this case, the PDA is used as a token emitter. The application is previously downloaded. SMS could be sent to the user in order to set up the application that will play the role of soft token.

The scenario is exactly identical to the SMS but only the user generates his/her OTP using the soft token instead of waiting for a SMS message. The cost is less than the SMS based OTP. This approach is a single channel authentication that is

not dependent on mobile network coverage neither on his latency. Furthermore, the attack of the man-in-the-middle is not tackle.

c. Full Option Mobile Solution

We have seen in the two previously scenarios that the attacks of the man-in-the-middle is not addressed. It exist a counterattack to this security issue consisting of using the second channel to completely control all the transactions over the online connection. Of course, the security of this approach is based on the assumption that it is difficult for an attacker to steal the user’s personal mobile phone or to attack the mobile network. Anyway, we have developed an application to crypt the SMS message which minimizes the risk of attacks.

The scenario is illustrated in the Fig.26 and it is as follow:

a. The user login on online account using token b. The server receives the token

c. The server verifies the token d. the access is given to the service e. the user request a transaction

f. SMS message is send with the requested transaction and a confirmation code g. The user verifies the transaction

h. He enters the confirmation code

i. The server verifies and execute the transaction j. The server sends a transaction confirmation

f

Fig. 26. Secure transaction via SMS

4.5 Future of Mobile User-Centric Identity Management in an Ambient