Mobile Device Security Solutions | Modes of Authentication
Verifying an individual’s claimed identity through user authentication is the first line of defense against unauthorized use of a mobile handheld (any type of computing device that is small enough to be held in one’s hand or kept in a pocket or similar small space) device.
Three basic techniques commonly used to verify identity:
- proof by knowledge (for example, passwords)
- proof by possession (for example, tokens, such as smart cards)
- proof by property (for example, fingerprints)
Multiple modes of authentication that involve one or more basic authentication techniques are also a possibility.
Toshiba G500 Smartphone with fingerprint reader
Passwords are the oldest and most popular form of proof-by-knowledge technique in use today and remain a common solution for handheld (for example: smartphone,pda) devices.
The strength of password mechanisms lies in the large set of combinations of character strings possible, but people in general tend to use easily remembered character strings such as child or dog names or commonly used words (string). In this case an intruder can easily deduce passwords quickly by systematically applying dictionaries of commonly used strings and password reuse patterns.
In organization policies and procedures compel users to include special, upper case, and numeric characters in their password string, but because this passwords are hard to remember, the users are writing them down and keeping them near them (for example: near the computer system, handheld device) which is not secure.
Picture Password Authentification Mode
A new authentication technology was invented for PDAs and smartphones using a visual login technique called Picture Password. Picture Password authenticates a user through the selection of images displayed on a handheld device.
Two main categories have emerged: those that require the user to recall and select a sequence of displayed images, and those that require the user to draw a series of lines over a grid or image template. The former category has been implemented in a number of commercial security products for handheld devices; both categories remain active areas of research
Smart card authentication is perhaps the best-known proof-by-possession mechanism. Smart cards are credit-card-size security tokens that hold an embedded computer chip containing an operating system, programs, and data.
Smart cards are not very amenable to handheld devices, however, because of the comparatively large size of the card itself and the need to incorporate or connect with a card reader of similar size.
Omnikey 4040 PCMCIA Smartcard to include in PDAs
Common means to accommodate smart cards are device expansion sleeves that contain a reader, or separate readers that connect wirelessly to the device. Perhaps the most promising development with full-size smart cards involves wireless smart cards that incorporate a radio frequency chip; eventually high-end mobile devices could include the capability to communicate with them.
Some manufacturers offer smart cards in alternative formats that are more compatible with handheld devices, namely, removable media cards . Removable-media smart cards are typically dual-function, providing significant amounts of storage in addition to smart card functionality.
The latter could be used for user authentication and other purposes. As mentioned in an earlier section, (U)SIMs are fundamentally smart cards in reduced size that are used in certain types of cell phones, that contains the user’s telephone account information.
USIM NTT DoCoMo's FOMA
Because (U)SIMs are typically under the control of the network carrier and not normally readily accessible (i.e., removable of the battery from the handset is typically required), they are not a good option for user authentication. Smart cards have also been packed within a plastic housing with a USB (Universal Serial Bus) connector at one end.
Toshiba announced the development of a new USIM card Compatible with NFC (Near Field Communication) Mobile Phones, in anticipation of the worldwide rollout of mobile contactless services forecast for 2010 and 2011.
Fingerprints are the oldest proof-by-property technique involving biometrics. The fundamental operation of a biometric system is comparing newly captured measures of some biometric characteristic ( for example physiological and behavioral) against a previously enrolled template derived from registered measures taken earlier . Only a few handheld devices have incorporated fingerprint authentication technology.
14 Responses to “Mobile Device Security Solutions | Modes of Authentication”
What are the security concerns if I use my credit card number over the Internet using my mobile phone?
There are several ways to pick your information right out of the air. Always check if the site where you want to use your credit card is using a https connection.
HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) is encrypting an HTTP message prior to transmission and decrypting a message upon arrival.
Also you can use a mobile security software.
On what mechanism of protection Picture Password relies ?
Picture Password relies on two forms of authentication:
1. the cryptographic hash of the password string computed from the enrolled image selection
2. value matrix that maps selected thumbnails to their underlying alphabet values.
What is PIM (related to Picture Password)?
Personnel Information Management
What are the common threats for a Picture Password Mechanism Protection ?
1) Applications that run as root by default can be exploited with the scope of gaining access to the authentication and other types of information.
2) Trojan version of compromised applications that can capture user input (for example passwords as text)
3) Spoofing
4) Savaging or sniffing
In which language is a a Picture Password Mechanism Protection implemented ?
1) C++ for a Linux iPAQ PDA
2) Open Palmtop Integrated Environment (Opie)
What is opie ?
an open source implementation of the Qtopia graphical environment of TrollTech
What are the parts of the Picture Password authentication mechanism ?
1) the initial password enrollment
2) subsequent password verification.
interesting post
a very good article about Mobile Device Security Solutions | Modes of Authentication