Smart Cards and Authentication Jose Diaz Director, Technical and Strategic Business Development Thales Information Systems Security
Payment Landscape Contactless payment technology being deployed Speeds up and simplifies payments process Replacement for cash, particularly for small transactions No user authentication for now Use of Automated Clearing House (ACH) for payments continues to increase 2008 ACH transaction volume was up 1.2 Billion payments over 2007 Internet-initiated ACH debits increased by 19.7% in 2008 Payment methods continue to expand Improved security is primary driver Primarily target on-line commerce Payment associated with credit card or bank account (ACH) Many leverage existing payment infrastructures Mobile phones/pdas seen as potential payment device Authentication and authorization are issues that need to be resolved Increased use of token-based or secondary channel authentication in high value environments Requirement for transparent user authentication in low value environments 2
Authentication Factors Type 1 Something You Know Password, PIN, lock combination, passphrase, knowledge based questions (mother s maiden name, favorite color) Type 2 Something You Have Token device, smart card, memory card, certificate Type 3 Something You Are Fingerprints, voice print, retina pattern, iris patterns, face shape, palm topology, hand geometry, location Two-factor authentication combines two of the three 3
FFIEC Guidance On Multifactor Authentication Financial institutions are being required to establish and execute a risk-based assessment of their respective online banking delivery channel Financial institutions are being required to implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks Agencies consider single-factor (e.g., ID/password) authentication to be insufficient as the only means of control for high risk transactions High risk transactions involve the movement of funds to other parties (even within the FI) or access to customer information www.ffiec.gov/pdf/authentication_guidance.pdf www.ffiec.gov/pdf/authentication_faq.pdf www.nacha.org FFIEC Federal Financial Institutions Examination Council 4
Authentication Functions What is a PIN Verification? A method to authenticate a customer Used for ATM and POS transactions How do we address authentication of customers on virtual storefronts or when the customer is not physically present? Web-based services? User ID Phone-based services? Password Other customer services? 5
A Variety of Choices Security Cost, Simplicity Risk Assessment User ID Password 6
Biometrics 7 Why All These Choices? Match authentication technology to the risk profile of the business process Smart Card Digital Certificate Handheld Token Encrypted Password Password Cost Security Relevant Options
OATH The Open AuTHentication Reference Architecture (OATH) initiative is a group of companies working together to help drive the adoption of open strong authentication technology across all networks 60+ members 40+ shipping products Standardized Authentication Algorithms Open and royalty free specifications Acronym Name Function HOTP HMAC-Based One Time Password algorithm Event-based OTP, RFC 4226 TOTP Time-based One Time Password algorithm Time-based OTP OCRA OATH Challenge Response Algorithm Challenge-response authentication, Short digital signatures OATH Token Identifier Specification Enables unique global identification of each authentication credential 8 HMAC Hashed Message Authentication Code IETF - Internet Engineering Task Force www.openauthentication.org
Smart Cards What are the Benefits? Secure and flexible technology for information and data storage PIN can be used to control access to the card Offers advanced fraud and risk management Card can be updated at the service point Can also provide cryptographic services such as key generation and encryption Foundation for EMV-based payment cards Excellent solution for secure storage of user credential information (e.g. certificate) Data Storage Computer Power 9
EMV-based Authentication Maximizing the use of EMV smart cards as a secure authentication token ATM withdrawal Point of sale payment Traditional Payment Environment Phone banking Internet banking Online payments New Applications 10
Programs for EMV-based Authentication MasterCard Chip Authentication Program (CAP) Visa Dynamic Passcode Authentication (DPA) 11
Smart Cards in Other Authentication Applications Becoming more common in Enterprise employee identification schemes Crossing over into authenticating users to network Cards contain certificate with user information Certificate signed by Issuing authority and verified during authentication process Securely stored on card, protected by PIN Dual interface cards (contact and contactless) facilitate use of smart cards for physical and logical access Federation of credential would allow extending use of certificate outside the Issuing Enterprise 12
Some Obstacles to Smart Card Use Device used to access a service needs to have a smart card reader Common in laptops, not so common in desktops Availability of smart cards in USB token format More flexibility for connectivity and use Some also provide contactless interface support USB Token 13
In Summary Payment methods continue to expand User authentication is a critical requirement No prevalent methodology has been adopted New standards may simplify interoperability Smart Cards offer many benefits for security, flexibility and ubiquity New form factors facilitate their interface with commonly used access devices 14
Jose Diaz Director, Technical & Strategic Business Development Thales Information Systems Security +1 954-888-6210 jose.diaz@thalesesec.com Smart Card Alliance 191 Clarksville Rd. Princeton Junction, NJ 08550 (800) 556-6828 www.smartcardalliance.org