The traditional model of online identity, username/password, has long outlived its usefulness. This is how API multifactor or two-factor authentication has come into play, to patch up vulnerabilities of the so-called knowledge-based model, usually by SMS passcode to verify possession of a mobile phone number.
However, this isn’t the most secure model because it requires knowledge of the password, which is spread in various sources. The biggest problem is that SMS messages can be spoofed to gain access to accounts. Recently we have seen hacks on Twitter since the number used has been known. However, the SMS number could have been saved by anyone in the hacker’s contact list.
There are several other models being tested, like the one which uses a SIM-card or even using a Macbook’s keychain on login. However, even though these are interesting possibilities to save passwords and authenticate users forcibly (or perhaps to play identity theft), they don’t work for everything as they require special hardware.
Introducing SIM-based Verification
SMS alone may not be secure, but mobile phone numbers tethered to a SIM card are: they’re unique pairing that is difficult to tamper with or copy.
A company called OATH, which provides standards for tokens and authentication via the Open Authentication initiative, has come up with a way to map mobile phone numbers to SIM cards. This will allow not only developers but also users to use SIM-based identity and verification for online accounts.
“The OATH Mobile Verification pilot is a new technology that makes it easy and secure for users to confirm their mobile phone number with participating websites without having to enter a password,” wrote OATH in the press release. “Mobile Verification offers businesses a more streamlined solution, requiring fewer manual steps than other multi-factor authentication options.
How SIM-Authentication API Works
The SIM card within a phone is already authenticated with the Mobile Network Operator (MNO). SIM authentication allows mobile customers to make and receive phone calls and connect to the internet. Without SIM authentication, users are not able to place or receive phone calls and cannot connect to the internet.
This is already a relatively secure model, especially with the fact that no one knows your password unless you tell them it. The OATH API will now allow anyone to use your mobile number as a means of authenticating through SMS verification, without needing to actually send you a text message with the sender’s information or otherwise obtain the password.
However, this service will not be available out of the box for all users, at least initially. Developers who wish to implement it can do so with their apps by including a simple snippet of code into their program.
“This API accesses OATH’s Open Authentication for developers who need to authenticate users without SMS, and it also includes OATH’s Mobile Authentication SDK for developers to use in their apps,” explained the company.
“At present, the service is only available via the OATH Developers website. However, it should be available shortly in mobile apps that provide a login mechanism.”
According to OATH, this pilot will allow users to launch a special “mobile identity” page on third-party websites and log in using just their phone number and password. You would still have to create a username and password on these sites, however. Your mobile phone number would be verified via an SMS message sent by the site itself.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.
Recent Comments