Policy, technology, and business case remain hypothetical
Be it Android, Apple, tablet or smart phone … mobile devices are everywhere, and users want to do everything on them that they do on their desktop. As the functionality increases so do the threats to the information stored on and accessed by the devices. The same dangers that plague the desktop world are exacerbated in the mobile world.
Mobile brings convenience, access and portability with a low cost of entry, but it creates a “perfect storm” of risk, explains Juan Duque, principal in the Federal Enterprise Technology Risk Services at Deloitte. “It can be the same risk you see in the non-mobile environment but it can go even deeper,” he says. “The risk universe is expanded.” some aspect of near field communication for identity. The U.S. government is looking at how the communications protocol can be used in connection with PIV and PIV-I credentials, and the enterprise sees it as a solution for converged physical and logical access control.
The challenges with mobile devices and identity are numerous, and after years of discussion, industry finds itself in the midst of a great experiment. Significant issues surround the policies that govern these devices and credentials. Existing policy needs to be changed or created from scratch to deal with challenges the mobile devices presents to an enterprise.
On the technology side many feel it is a foregone conclusion that the mobile will use some aspect of near field communication for identity. The U.S. government is looking at how the communications protocol can be used in connection with PIV and PIV-I credentials, and the enterprise sees it as a solution for converged physical and logical access control.
Solve the ‘where’ before the ‘why’
One of the core issues with credentials on the mobile is where to store it on the device and who controls that area. For followers of near field communication, these issues will sound very familiar.
“Who controls the secure element? Who owns the secure element? What form does it come in?” asks Terry Gold, vice president of U.S. sales at idonDemand.
These questions have plagued the NFC market and delayed adoption as ecosystem players have struggled for control. On the payment and marketing side, there has been some compromise with carriers, financial institutions and handset manufacturers partnering to rollout initial services.
But on the identity and credentialing side it’s not yet clear how this will work and who will control and profit from mobile identity. “You have this big battle shaping up,” Gold says. “If you have a secure element who is going to own and control it? It is not really owned by the end user. Even though he decides what apps and identity elements go on his handset, it’s someone else who provides the security.”
Eventually the secure element will have to be owned by the end user and access granted to any application he sees fit, Gold says.
Secure element options
There are three options for storing identity credentials on a mobile device’s secure element. One would place it on the SIM, a smart card in the handset that is used for identification to the mobile network. This choice is handset agnostic and the mobile operators–such as AT&T, Sprint, Verizon, T-Mobile–control the SIM.
Placing the credential on a microSD card that is inserted into the phone is another option. Many smart phones–Android, Blackberry but not the iPhone–have microSD slots and the credentials could be removed and placed in other handsets if an individual switched devices. In this case the issuer of the microSD card would be its likely owner.
The final option is embedding the secure element into the handset. The handset manufacturer would own this space, and many are already adding this capability to devices. Notably, RIM is going this route with its Blackberry handsets.
To further cloud the issue, it’s also possible that handsets could have more than one secure element, or even all three types, with different owners for each. “Everyone wants control of the secure element in NFC,” Gold says. “On the identity side it gets difficult. If someone else owns that secure element how are you going to put an identity credential on it?”
Will the secure element owner charge a fee to put a credential on the device? Will companies or organizations be willing to pay? Questions abound.
The handset as access control card
HID Global has seen these issues arise and is designing a solution that will work in any environment and can manage the credential wherever it is stored, says Karl Weintz, vice president of business development for the mobile access business at HID.
A pilot in the fall of 2011 at Arizona State University had HID Global showing how its solution can work with different handsets. The 32 participants were outfitted with one of three devices: RIM’s BlackBerry Bold 9650, Samsung’s Android (multiple models) or Apple’s iPhone 4G.
The pilot relied on microSD cards and sleeves for the NFC functionality because handsets that include NFC in the U.S. are not widely available. Three separate carriers–AT&T, Verizon and T-Mobile–were used for mobile services and the credentials were manually loaded on to the handsets.
HID’s solution will be handset and carrier agnostic. Because of the small size of the pilot and the control the school and vendors exerted over the pilot it was able to avoid some of the issues that may crop up during a full-scale rollout of placing the credential on the device.
That said the program was still successful. Approximately 80% of the ASU participants reported that using a smart phone to unlock a door is just as convenient as using their campus ID card. Nearly 90% said they would like to use their smart phone to open all doors on campus.
And, while the pilot was focused on physical access, nearly all participants also expressed an interest in using their smart phone for other campus applications including access to the student recreation center, as well as transit fare payment and meal, ticket and merchandise purchases.
HID also has a partnership with ISIS–the consortium of AT&T, Verizon and T-Mobile that will rollout NFC in 2012. This project will place the credential on the SIM, Weintz explains.
Having the choice to add applications and functionality to a device is important and may be critical in successful deployments of NFC. Neville Pattinson, vice president for Government Affairs, Standards and Business Development at Gemalto, says the mobile is going to impact three market–payments, transit and identity–and it should be up to the device owner which applications they choose.
“People are focused on one area, but you have to look at all three and the big picture,” Pattinson says. That means being able to use a handset to securely store identity credentials as well as access to public transportation and payment data.
It’s likely the mobile will store multiple sets of each type of data, Pattinson says. There may be one set of identity credentials for work and another for personal information. “We have a platform in our hands that becomes a multifunction device,” he says
It could take two to three years to define the policy issues that will guide the placement of identity credentials on secure elements, Gold predicts. Until then it’s going to be a waiting game as consumers load various identity apps in an application space that may not be fully secure.
In a “bring your own device” world, corporations are faced with a major challenge. Consumers expect to be able to load the applications of their choice on to their devices, but leads to serious security issues in enterprise environments.
Deloitte’s take on bring your own device is pretty straightforward, Duque says. “You’re damned if you do and damned if you don’t.”
To make it easier for the corporation it can come up with a list of approved handsets from which an employee can choose. This gives the employee some options, Duque says.
Otherwise it is bring your own device, and this creates issues that can literally change on a daily basis as new handsets hit the market, Duque explains.
A company can achieve some cost savings if they don’t reimburse for the purchase of mobiles devices and employees don’t have to carry multiple devices, which makes it more convenient for them.
But the disadvantages are numerous.
Employees buy devices and try to connect them to corporate resources without approval, circumventing security. There’s an increased cost, as IT staff must support multiple devices types. Trying to keep up with the potential attacks on the different handsets can be time consuming and expensive because each mobile operating system has different attack vectors.
The cons would seem to outnumber the pros but organizations are still wrestling with the issue. Duque also says organizations need to have policies in place for device configuration, devices use monitoring, data ownership and acceptable data use.
These policies issues can get thorny, says Jim Zok, director of Identity and Privacy Assurance at CSC. “If I bring in my device and want to use it for work what happens if I download something? You wipe the phone but will I get reimbursed?” he asks. “If you have a company phone does it have an approved app list?”
The viruses and malware attacks on mobile devices are ever growing. “There’s practically no way to protect these devices and put an app on it,” Zok says.
One solution could be two kernel handsets, says Zok. This would enable the device to have a business function and a personal function with strict segregation between the two sides. If one kernel is infected the other side would be able to function normally, he explains.
In the U.S. government space, enabling the mobile will take some significant policy changes. Computer scientists at the National Institute of Standards and Technology (NIST) are working on possible solution for government employees to have secure credentials on mobile devices. NIST released a revised FIPS 201-2 draft last year, and though the draft omitted mobile ID, government smart card officials say adding the capability is imperative.
The agency is exploring three options for enabling the PIV on a smart phone or tablet, says Bill MacGregor, a computer scientist at NIST. One is additional hardware that would connect the smart card to the mobile device, another is an enhanced PIV that would fully enable all functionality of the PIV’s contactless interface and last is use of a mobile device manager and a derived credential.
Contact smart card readers that use Bluetooth, WiFi or a cord to securely connect the PIV credentials to mobile devices already exist, MacGregor says. This option isn’t the most attractive because of the cost of the hardware and the form factor. “From a usability point of view it’s awkward and not realistic,” he adds.
The other two options seem to be more realistic but each requires policy and technology changes. The phone could be used as a credential if the contactless interface of the PIV was fully enabled, MacGregor says. The first FIPS 201 version limited the amount of information that was available from the contactless portion of the card.
If these restrictions were eliminated, near field communication devices could read the PIV and authenticate to networks, sign and read email, and complete other tasks. To do this the process for creating a secure channel between the mobile and the credential would have to be created. “It’s easy to do technically but hard for the key management,” he says.
Since any NFC device would be able to read any PIV there would have to be a secure key placed on the mobile to make sure the credential is only being read by the properly authorized device. It would be a way to authorize the device to the credential.
Secure keys would have to be issued to the mobile devices, MacGregor says. This could be as simple as a pairing PIN that could be entered into the mobile to authorize pairing. “This doesn’t require too much more functionality,” he adds.
The other option is a derived credential and mobile device manager, MacGregor says. This option has the PIV presented to a mobile device manager which then assigns the credential to a device. The credentials would be placed on a secure element within the mobile.
Only a portion of the PIV functionality would be available with the derived credential and it’s possible that different derived credentials could be issued depending on the level of assurance necessary, MacGregor says.
“The chief negative of this approach is the complexity,” MacGregor says. “It needs interaction with a mobile device manager.”
Enhanced PIV and derived credentials are the focus of NIST’s current efforts to enable the PIV with smart phones, MacGregor explains. Derived credentials are also mentioned in NIST’s Special Publication 800-63-1 which focuses on electronic authentication.
The mention of derived credentials is in a generic form and not specific to PIV, says Hildegard Ferraiolo, a computer scientist at NIST. If derived credentials were to be included with PIV it would be included in the next draft of FIPS 201-2, which is expected sometime in the first half of 2012.
The notion of an enhanced PIV and derived credentials brings up some thorny policy issues, says Gemalto’s Pattinson. “NIST has a PKI policy that only allows digital credentials to be present on a smart card form factor,” he explains.
There is also an issue of dealing with the same credential in more than one place. “How do you end up with one card in your hand and another in the phone?” Pattinson questions. “You can’t have the same key in two places.”
This also doesn’t solve the problem of being able to decrypt email on mobile devices. “When a PKI credential is made on a PIV there are several keys and certificates associated with different functions, for example decryption, digital signature, key exchange, among others,” Pattinson says.
Decrypting an email is more complicated than it sounds. For a person to send an encrypted email there has to be an encryption public key certificate available to the sender to encrypt the email so only the recipient can read it, Pattinson explains.
The private key associated with this public key may be only known to the original PIV as it was generated on card at the time of issuance or activation. The private decryption key may never leave the card. In the case of a derived credential, if it does not have the original private key for decryption, there may not be an ability to decrypt the email.
However even this isn’t a hard and fast rule. Some agencies “escrow” the private decryption key initially generated off card or securely extracted off the card. This is done to allow for situations where cards are replaced or lost but the need to decrypt older email remains.
That’s just one example. Figuring out how to handle these policy issues is going to take some time, possibly one to two years, Pattinson predicts.
As the policy issues are being addressed, the technology continues to evolve. The lack of NFC handsets is one issue holding back mobile identity efforts, says Jon Callas, chief technology officer at Entrust. In the U.S. there are just a handful of NFC devices on the market, a couple of Blackberry and Samsung models but that’s it, he says.
Google with Android and Apple with iOS must progress to make identity better in mobile operating systems, Callas adds. He believes identity should be embedded into the device, and not the decision of third-party apps. Consumers should be able to control the identity as they wish, he explains.
“The operating system vendors will start to solve this problem by putting container support on the devices so that people can do identity on their own,” Callas adds.
Nobody buys a new handset based on identity, Callas explains. “Identity wasn’t on the list of reasons why I bought my phone,” he says. “You buy a mobile because you want that device.”
Though the mobile identity market has progress to make, both the technology and consumer adoption move quickly. Because handsets are relatively inexpensive they are replaced every one to three years, Callas explains.
While both the technology and policy need to advance before mobile identity is widespread this rapid pace of consumer adoption bodes well for the market. But officials must keep this pace in mind as they define policy. “Frankly, the technology is changing faster than we can keep up with,” says Zok.
What will mobile identity look like?
The goal of mobile credentialing is to enable an individual to have the same level of interaction with a system on the handset as they would on a laptop or desktop, says Jerome Becquart, vice president and general manager of identity assurance at HID Global.
HID acquired ActiveIdentity and its smart card middleware. The company is porting that software to the mobile device for access to secure email and virtual private networks, Becquart says. To date, however, the company hasn’t seen much call for the technology because the U.S. government’s policy requires the use of a smart card and PIN.
HID partnered with Good Technology to deliver new government-strength, two-factor mobile authentication and credentialing solutions for the iOS and Android platforms. The new solutions will couple the security capabilities of Good for Enterprise and Good for Government with the authentication technology of the ActivIdentity ActivClient Mobile middleware to make it easier for federal employees and the companies that support them to gain access to pertinent applications using their mobile device while maintaining necessary security levels set forth by their Information Assurance personnel.
Smart phones and tablets have not been able to achieve necessary levels of security but Good Technology and ActivIdentity are working to mobilize smart cards and the underlying secure element technology. This solution enables email and document encryption, cryptographic signing of emails and forms, and extends public key infrastructure authentication tools to custom applications previously not enabled on smart phones and tablets.
As the handsets gets more functionality the use will go beyond basic access to information, Becquart says. With NFC embedded physical access control can be added to the handset as well.
These converged physical and logical access systems will enable organizations to greatly increase security. Employees would have to wave their phone to gain access to the front door of a building, and if they didn’t authenticate at the door they won’t be able to access their computer.
The handset would also be the key for entry into the computer and instead of having to enter a long, complex password an individual might just have to remember a PIN, says Jon Callas, CTO at Entrust. Also, if an individual walks away with their handset the desktop would lock.
The GPS feature on smart phones could also play a part with security. If the network shows that someone is trying to remotely access email from an unusual location it could check the GPS on the employee’s smart phone to see if they are in that area. “Companies will be able to look at where you’ve been and determine if a transaction is too risky,” Becquart says.
Easy, yet secure, authentication on the mobile
Individuals want to do more and more with the mobile devices, but often the device itself is unprotected or using additional security is cumbersome.
A survey by Confident Technologies found that 65% of respondents reported using their personal mobile device to access work email or the company computer network, and more than half said they do not use a password or PIN to lock their smart phone or tablet. Some 44% of those who do not lock their mobile devices said that using a password is “too cumbersome.”
An additional 66% of respondents said they try to leave applications on their smart phones perpetually logged-in unless they are required by the application to log in every time.
Logging on to Web sites with mobile devices can be difficult. Even with handsets that have QWERTY keyboards it’s difficult to enter the complex user names and passwords required by some corporate sites. Confident Technologies is trying to make the mobile login process secure as well as easy, says Curtis Staker, president and CEO at the company.
With Confident’s image-based technology a user enrolls in the system by picking a category of photos, for example animals, and then chooses the specific images for their login. When returning to the site the individual is presented with a group of images in random order and taps the ones specific to their login.
The specific pictures and their location on the grid are different each time, forming a unique, one-time authentication code every time. All the user needs to do is remember a few categories and look for pictures that fit those categories. You get the usability without forsaking the usability,” Staker says.
GSMA: SIM-based NFC gains support of 45 mobile operators
The GSM Association announced that 45 of the world’s mobile operators have committed to supporting and implementing SIM-based NFC services.
Chief among these companies are China Mobile and China Unicom, which account for nearly 800 million subscribers throughout China. Other major operators include Deutsche Telekom, KT Corporation, Orange, SK Telecom, Telefónica, Telecom Italia, Turkcell, Verizon and Vodafone.
ISIS, the organization formed by AT&T, T-Mobile and Verizon to build a nationwide mobile commerce network in the U.S., has also announced its support for SIM-based NFC.
According to research firm Strategy Analytics, nearly 1.5 billion SIM-based handsets will be sold worldwide between 2010 and 2016, supporting transactions of more than $50 billion globally over the period.
SD Association, GlobalPlatform to include NFC in new SD standards
The SD Association has announced a new collaboration with GlobalPlatform to include smart chip technology in SD standards, enabling mobile phones and other portable devices to provide authentication services with SD memory cards.
Standardized authentication services on microSD and full-size SD memory cards could transform consumers’ mobile phones and devices into electronic wallets, enabling NFC-enabled cashless payments and paperless identification, plus a variety of value-added applications leveraging NFC.
According to the association, offering NFC on SD memory cards opens new business models for any authentication process, including:
- Mobile commerce: Consumers can use devices equipped with smart microSD cards to make contactless payments for anything from groceries to subway fare.
- Customized services: Content and service providers can customize features, offers and rewards automatically, eliminating manual entry of customer identifiers such as account or rewards card numbers. For example, airlines could automatically review customer accounts for upgrade and other frequent flier rewards.
- Secure access/Personal ID: Users could store digital identification cards and redeem access control credentials on their mobile device.
- Secure voice: Smart microSD cards can support hardware encrypted voice services, a security method used by governments, emergency services and corporations.
In each of these new business models, the microSD and full-size SD memory cards would provide the secure element, based on GlobalPlatform standards, for authorization purposes and would only be active in the authorized device.