SixToken – Mobile Device Based Strong Client Authentication with Client Certs

Browsers are not very good for using client digital certificates for Strong Client Authentication. Once a browser uses a certificate, it won’t turn it loose to use a different one, until you kill all instances of the browser. It can also be difficult to get a digital certificate via browser for such use. Finally it can be difficult to include support for browser based certificates in your web application.

We came up with a way to obtain the key material in a mobile device, using our Identity Registration Protocol (IRP), protecting the private key with the mobile device’s biometric mechanism (fingerprint, etc). We combined this with push notification and the “crypto challenge” from TLS to provide very simple to use but incredibly secure authentication (and authorization within a connection).

Getting the key material into your phone is remarkably simple, and can be managed and pre-approved by your IT department, while the key generation is still done decentralized on your device, not centrally (we can also support centralized key creation if you prefer). The same process connects your mobile device to our push notification provider.

Once your key material is on your mobile device, you can use it for any online service secured with TLS for true passwordless authentication. You connect to the online service as usual (e.g. with a browser) and supply only your userid (e.g. email address). The server creates a crypto challenge (short string encrypted with your public key from your client certificate). It then pushes that challenge to your mobile device. You see a message that says “xxx is trying to log into yyy, is that OK?” You can reject the notification, or you can accept and swipe your fingerprint. That unlocks your private key, which decrypts the challenge and sends the result back to the server. If the result matches the original string that is positive proof of your identity (true 2FA – something you have, your phone and private key, and something you are, your fingerprint). No password is involved at anytime. You can do away with password creation and management by users, as well as keeping passwords in a database on the server where hackers can grab them.

We support all android and iOS phones, but it works best with ones that include biometric authentication.

You can also implement transaction authorization. If you pay for something with your credit card, the application can send you a notification saying “xxx is trying to spend $yyy at zzz store – is that OK”. Again you reject or accept, and if you accept you swipe your fingerprint and a crypto challenge is done. The transaction will only be done if you approve it with true 2FA. This eliminates most credit card fraud. It can also protect investment accounts, like 401Ks, from unauthorized withdrawals.

We will be glad to help you integrate this technology into your payment systems! It’s actually quite simple and fast using our infrastructure. The client certificates can be obtained via IRP from and of our CA partners, or even from a private hierarchy you run in-house (e.g. with EJBCA).