Concept of Trusted Transaction for Secure Cloud Transactions
Cidway Secure Mobile Access Transactions Short 05 12
description
Transcript of Cidway Secure Mobile Access Transactions Short 05 12
Discover the future of security on www.cidway.com
SECURING ACCESS & TRANSACTIONS ON / FROM MOBILE
THE LEVEL OF SECURITY YOU WANT TO ACHIEVE
THE LEVEL OF CONVENIENCE THE USERS WANT
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 3
Mobile Access & Transactions Today
Static PIN Code on the Mobile application
Convenient but NOT secure
No Transactions’ signature !
Scenario 1
Mobile application + OTP from hardware Token or SMS
Secure, but NOT convenient
Expensive for the Bank
Potential Transactions’ signature !
Scenario 2
+ or SMS
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 4
Mobile Access & Transactions with CIDWAY
Transparent 2FA, MA & TDS
Convenient & Secure
Embedded Cidway mSDK
ü Improved Security, using time-based OTP • Strong Authentication (2FA) • Mutual Authentication (MA) • Transaction/Document signature (TDS)
ü Simplified User Experience • Just a PIN to input • All security features transparent to the User
ü Decreased Total Cost of Ownership • No additional hardware components • No additional software application • Less Support
ü Simplified Deployment • Only one application with Cidway mSDK embedded
ü Extended Scope • mBanking • mCommerce • mPayment • mHealth • Mobility • Etc.
cured by CIDWAY
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 5
Secure Mobile Applications & Simplify User Experience
Improved Security • Secure Login with real time-based OTP • Sign Transactions/Documents/Data with time-based TDS • Mutual Authentication (Server authenticates to Mobile) with time-based OTP • Real time-based OTP (1 second increment) with time-stamping • Data encryption within SSL tunnel (in case it’s compromised) using synchronous OTP (without transmitting keys over the
Network) • No-PIN patented protection (PIN Code not stored on the mobile, never transmitted over the network, neither stored on the server) • Embedded Secure Virtual Keyboard • Jailbrake/Root detection – even prevents Xcon (iOS) • Anti-cloning solution (based on signed Logs & hardware binding) • Secure Download from mobile public stores (to prevent a rogue application to steal User’s credentials) • Secure provisioning process on the fly • Support of multiple-devices for one User with multiple keys (even if same PIN Code used)
Simplified User Experience Enable high-level security without additional components/elements, in a transparent way for the User • Easy Login (secured by a transparent 2FA & Mutual Authentication): just input a PIN Code • Easy Transaction/Document Signature (signing the entire Transaction Data): just input a PIN Code, no additional data to input • Easy Registration Process & Renewal process (when phone is changed/lost/stolen) • Automatic & transparent time-resynchronization, even if User changes the clock of his phone • Multiple Devices with same PIN Code (without additional security risks) • Multiple Users on the same device
Seamless Integration Simple integration of Cidway SDKs into existing or future Applications • Integration of MobileSDK into existing mobile application (native mSDK available for all platforms) • Integration of ServerSDK (available on any OS, agnostic of Databases & Users Directory) into existing Application Server or
Authentication Platform • Professional Services & Training readily available from Cidway with significant experience • Potential adaptations/modifications, as it’s Cidway’s own source code
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 6
APPLICATION SERVER
(mBanking, mCommerce, mPayment, Mobility, etc.)
Integration of CIDWAY MobileSDK into existing
Mobile Application
Integration of CIDWAY ServerSDK into existing Application Server or
Authentication Platform
Integration of CIDWAY SDKs
1 2
Available on any OS, agnostic of Database & User Directory
CIDWAY mSDK
Cidway ServerSDK
Cidway Gaia Server
WebServices
Interface of CIDWAY GaiaServer with existing
Application Server OR
Integrate ServerSDK or Interface GaiaServer
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 7
User Experience & Process : Secure Access & Transaction/Data Signature Th
e si
mpl
est U
ser E
xper
ienc
e
Fully
tran
spar
ent f
or th
e U
ser
SECURE ACCESS
TRANSACTION SIGNATURE
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 8
Business Cases
mBanking ü Strong Authentication ü Mutual Authentication ü Transaction Signature ü End-to-end data encryption ü Anti-cloning ü Jailbrake/Root detection
ü Secure & simple authentication of Users ü Multiple Users per device ü Document Signature (including data
integrity & time-stamping) ü Complementary to MDM
Mobility
ü Secure mCommerce transactions (Transaction Signature, protects also CC data)
ü Simplify User Experience ü Automate 3DSecure transactions on
Mobile
mCommerce ü Secure Access to medical records ü Sign data when records modified and/or
added ü Authenticate patient ü Secure patient data communication
mHealth
© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 9
OK
ü What are the risks if I loose my phone ? ü What are the risks to download a rogue application from a mobile public store ? ü How easy is it to activate the application and what are the risks during the process ? ü Is the User Experience really easy ? ü What are the risks of brute force, man in the middle and other sophisticated attacks ? ü Did the application pass penetration tests ? ü What are the coding techniques to guarantee top security ? ü Are they credentials transmitted over the air ? What are the risks ? ü Is it real time based ? With time-stamping ? ü What happens when the user changes the phone’s clock ? ü Does it work on all Mobile platforms ? ü Does the solution considered supports real time-based : OTP, mutual-authentication & transaction
signature ? ü Does the solution supports Jailbrake/Root detection (even with xcon on iOS) ? ü Does the solution embeds a secure virtual keyboard ? ü Does the solution supports end-to-end data encryption within SSL channel ? ü Does the solution prevents from Cloning ? ü Is the secret key protected from mobile backups usually not encrypted and potentially stored on the
cloud ?
FAQ on Mobile Authentication Cidway Mobile technology is the answer