CAMBRIDGE, Mass. — As mobile applications leap forward into the wide world of Web 2.0, the security stakes inevitably get higher, too.
And standard methods of user ID authentication become primitive with this jump, a Forrester Research analyst said, at the same time as demands for robust and commercial services will require more secure entry ports into mobile systems.
“To be trustworthy, mobile transactions need to be secure, which requires that customers be rigorously identified and authenticated,” said the think firm’s Bill Nagel.
Nagel and his team of Forrester analysts see the future of mobile security via subscriber identity module card-based, versus network-driven, mobile signature authentication.
This method of authentication (SIM) is already doing wonders in Finland due its capability to generate identity-dependent authentication, Nagel said in a report. Still, this method of security–while easy to use–remains difficult to implement, he said.
The alternatives, however, might warrant the time investment. Current methods rely highly on device-specific operating systems and interfaces, simultaneously creating user interface and security nightmares, the Forrester report said. Those concerns are multiplied by the number of devices and carriers accessing the mobile Web.
The preferred implementation of SIM-based security lies in PKI-based (public key infrastructure) certificates stored on a device’s SIM card. These security authenticators allow individual mobile users to acquire unique digital signatures even for sites and applications being accessed for the first time.
“Digital certificates issued to a reliably identified person not only allow customers to authenticate themselves to a service provider like a bank, thus securing the mobile transaction, but enables the delivery of new features and services like credit and loan applications, all over the air on a mobile handset,” Nagel said.
This wireless PKI, or WPKI, method has a distinct advantage over existing authentication systems, the Forrester report said. Since digital certificate generation is SIM-card driven, identity information is transferred via secure short message service (SMS) text applications, not potentially vulnerable smartphone software. Due to the efficiency of SMS exchanges, Nagel said he believes the likelihood of identity breach to be far lower than via smartphone-driven systems.
There is, however, yet another catch. Banks and credit unions are not familiar with WPKI or how to integrate it with existing banking systems, the Forrester analyst said. Some banks in Asia and Europe have even turned to creating their own WPKI systems to overcome this obstacle.
Moreover, there is a technological learning curve inherent using a WPKI authentication system, making this transition a potentially difficult one for end users, the Forrester report said. There’s also a simultaneous issue of device and carrier churn, creating a constant need to update existing WPKI systems to match.
Despite these obstacles, Nagel sees WPKI as a win-win situation for both institution and consumer. “Mobile signature commercial arrangements generally allow banks to do what banks do best: provide secure credentials and facilitate financial transfers.”