Adding identity, other apps to EMV could hasten multi-app reality
OTP extends EMV to other apps
Nigeria and Santander both are issuing high-memory cards in order to enable multiple applications on a single chip. Outside of banks sharing the cryptographic information with an enterprise or enabling post-issuance applications to be added to cards, there are other ways to use EMV payment cards as an extra factor of authentication, especially for online transactions.
EMV cards can be used to generate one-time passcodes using the MasterCard Chip Authentication Protocol or Visa’s Dynamic Passcode Authentication, says Stephane Ardiley, product marketing manager at HID Global. These systems are typically used in card-not-present transactions when a consumer is making a purchase online.
To conduct such a transaction, the customer first inserts the EMV card into a small, calculator sized reader. The card owner then types the PIN on the reader’s keyboard and receives a one-time password to be used during an online or telephone transaction. This transaction provides two-factor authentication because it proves that the card was in possession of the buyer and the buyer knew the PIN.
HID has worked with banks overseas to deploy this technology to cardholders, Ardiley says. While the technology has primarily been used for second-factor authentication for transactions, banks are exploring use of the technology as another factor for secure login.
Canadian bank credentials extend to government access
In Canada, SecureKey is working with three banks to enable existing contactless bankcards and logins to secure access to government web sites.
Consumers will be able to visit a government department online and go through SecureKey’s credential broker service for authentication. SecureKey is launched with BMO Financial Group, TD Bank Group and Scotiabank and plans to add more in the future.
Canadian citizens have a choice of whether or not to use the system. When they visit a government site, they can choose to create a new login that is unique for the government application or use their own banking information. If they choose the latter they are directed back to the bank site, asked to login and provide required identification information. Once verified, they are able to use the user name and password from their bank for access to the government site.
When a user authenticates with their bank, the bank will give SecureKey a non-identifying security token. SecureKey then substitutes the token with a new, non-identifying but unique token for the Government of Canada that says the user has been authenticated.
The credential brokerage service is blind; meaning no party to the transaction knows precisely who has provided what data, thus ensuring the user’s privacy. SecureKey is a broker of anonymous credentials while the government is responsible for ensuring that you are accessing your own information. The bank is responsible for providing a valid token that only the citizen has to connect to Government services more securely.
Bank of Montreal is issuing contactless readers that plug into USB ports so that consumers can tap their contactless EMV card for an extra factor of security, says David Heatherly, head of North American Payment Acquisition and Sales Support at BMO Financial Group.
“BMO sees this as a natural extension of the services we offer our customers,” Heatherly adds. “Our participation gives customers a secure, simple and trusted verification process for accessing government services online. It builds off the investments we have already made in Chip and PIN, and related technologies for simpler, but more secure, online authentication.”
TD Bank group didn’t see the physical card readers adding value to the system, says Paal Kaperdal, senior vice president for Online Banking at the institution. However, enabling one login for multiple services extends TD Bank’s trust into other areas. “We see this system as a natural extension of that relationship in the digital domain and an opportunity to extend our services to our customers,” Kaperdal says.
It’s a win/win opportunity for the bank, says George Peabody, senior director at Glenbrook Partners. It doesn’t require the banks to make any changes to the card and the institution could potentially earn revenue from having other relying parties use it for strong authentication.
Also, with more tablets and laptops expected to be equipped with near field communication and contactless readers, the cards could more readily be used as an additional token in SecureKey’s model, Peabody says. This requires dual-interface cards, which is the majority of cards issues in Canada.
SecureKey is attempting to build an authentication protocol based on what a consumer already knows: user name/password and payment cards, says Andrew Boysen, executive vice president of marketing at the company.
As SecureKey has demonstrated in Canada, payment cards can be used to add security for online logins. It’s a matter of working with organizations that want to make it happen, Boysen says. “It’s not a technical challenge and our customers are working to help us make it happen,” he adds.
Boysen believes systems like SecureKey’s will most likely take off in the consumer space first. “Banks are all about the consumer but they don’t know anything about the enterprise space,” he explains.
For that reason along with customers’ reluctance to use personal cards in an enterprise environment, it may be difficult in this environment, Boysen says. “From a consumer standpoint I won’t have something personal used in the enterprise,” he adds.
This could change. As consumers become more concerned about securing their own online identity, there would be an opportunity to add a business persona to that same credential. It would be a replay or an extension of the Bring Your Own Device situation that is playing out in enterprises across the country.