SSenStone introduces an entirely new type of user authentication factor with the TAP-OTAC solution. TAP-OTAC serves as an empowering option to satisfy Multi-Factor Authentication (MFA) requirements such as PSD2 Strong Customer Authentication (SCA) from Europe and/or FTC’s Safeguards Rule from the United States. TAP-OTAC lets organisations achieve a higher privacy security level over legacy OTPs including SMS or conventional mobile OTP, and it protects your identification against external threats that such legacy OTPs do not cover. Moreover, the TAP-OTAC solution can be straightforwardly applied to a wide variety of smart cards such as bank debit cards, credit cards or even building access cards. Users benefit from both the enhanced security of hardware OTP (hardware token) and the convenience of mobile OTP (software tokens).
As the name implies, Multi-Factor Authentication (MFA) is authentication through verifications of at least two types of authentication factors, which are:
Note that two-step verification differs from MFA, where the verification methods can be of the same factor.
According to Microsoft, MFA can “prevent 99.9 percent of attacks”. While there are some arguments that this number is not realistic, there is no doubt that MFA is highly effective in mitigating security threats such as identity theft. For this reason, companies should enforce or at least give an option to enable MFA to protect users’ sensitive information.
Moreover, there are specific requirements that mandate the use of MFA, especially in financial institutions. In Europe, there is PSD2 “Strong Customer Authentication,” and in the United States, there is FTC’s “Safeguards Rule.”
PSD2 is the “Second (Revised) Payments Services Directive” implemented in January 2018 in the European Union. Strong Customer Authentication (SCA), which is part of PSD2, is a mandatory requirement across Europe for carrying out financial transactions, such as online transactions and bank transfers. SCA requires that the transactions are verified using MFA, a combination of at least two authentication factors, to prevent fraud and protect customer data from malicious attacks.
Most countries in the EU met the SCA requirements by September 2021, with the United Kingdom extending the deadline to March 2022. As of today, the SCA requirement is enforced in all EU countries.
The Federal Trade Commission of the United States amended the Safeguards Rule, which is set to protect consumer information, in December 2021. The Safeguards Rule applies to any business defined as a “financial institution.”
While the rule states many requirements, such as encryption, disposal policies, and logging requirements, one of the most significant requirements is that the institutions must implement MFA. Just like SCA, Safeguards Rule requires verification consisting of at least two authentication factors.
An important point to note here is that FTC has excluded SMS text messages as an acceptable example of a possession factor. While this exclusion does not mean that the use of SMS text is prohibited, it is not recommended as a secure means to protect sensitive consumer information. Note that the security and privacy of SMS texts are not guaranteed by mobile carriers, which means attackers can intercept these messages.
Based on the world’s first one-way dynamic authentication technology, one-time authentication code (OTAC) originally invented by SSenStone provides more secure authentication by uni-directional dynamic token ONLY to overcome bi-directional limitations including high dependency on the push & pull system of network connectivity between clients and servers. By reinventing authentication, SSenStone sets a new standard for authentication in cybersecurity beyond the limitations of existing authentication methods.
OTAC can be applied to various products and services across different sectors. It has various solutions including payment, IoT, and military, just to name a few.
SSenStone’s OTAC algorithm was put to the test and fully substantiated in a detailed 42-page technical review by the University of Surrey. View the report on their site or download the full report.
SSenStone provides TAP-OTAC to protect against external threats that exploit the security vulnerability of mobile OTP by utilizing medium separation which is free from cyber-attacks. It can be easily applied to payment cards such as a debit card and/or credit card, generating non-duplicate and non-reusable OTPs by simply tapping the card on the user's mobile device. It means that users acquire the advantages of hardware OTP (hardware tokens) and mobile OTP (software tokens) at the same time; robust security and convenient user experience.
The TAP-OTAC is embedded in the form of an applet on the IC chip. A card with OTAC applet embedded generates the first OTAC through communication with the smartphone NFC. Since the first code generated from the card is changed into a second ‘OTAC’ via the application, there is no risk of sniffing, something that can occur during standard NFC transactions.
It is available on both iOS and Android platforms - iOS 13 and above or Android OS 6 and above.
SSenStone provides TAP-OTAC to protect against external threats that exploit many applications today to perform some degree of user authentication using username and password, PIN, or biometrics. However, a lot of them still do not fully comply with the MFA requirements, especially regarding the possession factor. While there are some applications that do implement OTP solutions to tackle the possession factor, many use a weak form of OTPs, such as SMS OTPs, which are prone to many kinds of attacks. Implementing TAP-OTAC can help businesses solve these problems.
Most modern applications, such as banking applications, satisfy the knowledge or the inherence factor by authenticating users with their account number and password, or even with PIN, pattern, or biometrics for simpler authentication.
Performing user authentication with an account number and password or with a PIN or pattern constitutes knowledge factors, as they are what the user knows. While using account numbers and passwords has dominated user authentication, more and more applications support simpler authentication through PINs and patterns to satisfy the knowledge factor. When using PIN or pattern as a knowledge factor, they are stored securely in a safe area of the device, such as a keychain or a secure element. Unlike account numbers and passwords, which are stored in the server, PINs and patterns are stored and compared locally on your device, safe from attacks like verifier compromise. In addition, many applications have a safety mechanism to lock the user out after a preset number of unsuccessful tries.
Biometrics are considered an inherence factor as they are inherent characteristics of the user. Using biometric characteristics such as fingerprint or facial recognition usually depends on the biometric authentication features supported by mobile devices. In order to preserve the integrity of the biometric information obtained during the registration, a hash of a unique string that identifies the biometric information is usually stored in the device’s safe area. When a user performs biometric authentication, the application compares the hash string stored during registration with a new hash obtained during authentication, ensuring that the biometric data on the device has not been altered.
In addition to providing the knowledge or the inherence factors, it is required for the application to prove possession of a registered device to satisfy the MFA requirements. With traditional OTP devices, however, an OTP generated from a lost or stolen device could be used directly in authenticating as the original user. In severe cases, an attacker could install malware on the user’s device to take complete control over it and use an authentication app installed on that device to authenticate successfully into various apps and websites.
The TAP-OTAC is designed in a way that the two devices, the card, and the mobile device, are dependent on each other. In other words, the user’s mobile device is required to generate the first OTAC from the card, and the card is needed to generate the final OTAC from the mobile device successfully.
The card has an OTAC applet that requires a unique PIN to access the applet’s functions. This PIN is called an applet PIN and is randomly assigned upon issuing the card. The applet PIN is also stored safely on the server and passed on to the user’s mobile device during the registration process. Note that this applet PIN is unknown to the user and is available only to the user’s mobile device. This makes it impossible for the card to independently generate a code without having the user’s mobile device.
After the first OTAC is generated from the card by receiving an application protocol data unit (APDU) command with the applet PIN from the user’s mobile device, the mobile device receives and uses that first OTAC to generate the second or the final OTAC. This “chaining” of the two codes makes the second code dependent on the first, meaning that one must possess the card to generate the final code from the mobile device successfully. Also, the data that is sent through NFC is encrypted, further securing the messages from eavesdropping.
This characteristic of the TAP-OTAC, which explicitly requires the possession and simultaneous interaction between the two devices, adds an additional barrier and makes it extremely challenging to perform attacks through device compromise.
Based on OTAC technology, TAP-OTAC eliminates various weaknesses of other OTPs such as SMS OTP, mobile OTP, and token OTP, thus providing numerous benefits.
SSenStone provides the necessary parts to implement the TAP-OTAC solution:
To learn more about TAP-OTAC and many other solutions, please contact us today.