Strong Authentication

For most people, getting access to online services or a web-based retailer is reasonably simple – you provide a username (usually your email address) and a password and off you go.
The trouble is:

  1. The online service you’re accessing usually can’t really validate that you are who you say you are (that’s why online retailers usually collect other information like your address and phone number against which to validate a payment card);
  2. You are probably using the same username and (weak) password like “12345” for many different services;
  3. It’s increasingly difficult to protect yourself from computer viruses and phishing1 attempts designed to intercept and collect your personal information; and
  4. If your personal data is compromised, thieves can get access to all of the other accounts, and, worse yet, set up new accounts pretending to be you. 

This is identity fraud, and in 2010 in the U.S. alone, over 8 million adults had their identities compromised costing over $37 billion – that’s over $4,500 per incident in out-of-pocket and/or insurance costs.  What’s more, consumer reported spending an average of 59 hours recovering a “new account” instance of identity theft2

Making matters worse, a number of online services are offering consumers convenience (and greater risk) by letting you log in to other sites using their login information.  If their online security is compromised, so will yours3.

Current Solutions

If you work for a large-sized company or government agency, in addition to a username and password (a “what-you-know” credential), you probably also use a security “token” that generates a random, changing number (a “what-you-have” credential) to login remotely.  The combination of “what-you-know” and “what-you-have” is known as 2-factor authentication, and provides a higher level of assurance that it is indeed you trying to access your company’s online service.  Even if someone was phishing the company’s website and was able to collect your username and password, they would not be able to use it to gain access without also having the security “token”.

Similar in concept, but providing an even stronger level of authentication, are chip-based and contactless credit cards.  Embedded in these cards (“what you have”) is a computer chip that generates a new secret “key” each time it is used in a payment terminal.  Along with the correct PIN (“what-you-know”), the retailer can be certain that you are authorized to use the card to make a purchase.  Chip-based and contactless cards cannot be duplicated or compromised because they do not contain any information that is useful – only a cryptographic4 algorithm that generates the secret key based on unique information generated by the payment network.  Both the key and all electronic communications through the payment network are encrypted, so that even if someone were able to intercept or copy the message, it would be totally useless to them.

SecureKey Strong Authentication

SecureKey uses these same chip-based and contactless technologies to deliver strong online authentication without sacrificing user convenience.  In fact, with SecureKey, your online experience will actually be improved, making online authentication fast and familiar.

At the core of SecureKey’s technology is a multi-purpose, cryptographic “applet” or small, portable software program that may be deployed on

  • chip-based or contactless cards,
  • USB-format SecureKey card readers with secure memory, or
  • the Secure Element (SE) on next generation laptops, tablets, and mobile devices. 

Behind the scenes, the SecureKey Applet, along with SecureKey’s cloud-based authentication service, establishes a secure, mutually authenticated session between the user’s credential and online web server using industry standard x.509 digital certificates and SSL/TLS secure communication protocol.  A Web Services layer makes it easy to integrate the SecureKey solution into existing sign-on applications or authentication services.  Sensitive operations are all self-contained in the SecureKey Applet within the device’s Secure Element memory, and are never exposed to security risks in the operating system of the end-user’s device.  No user data is ever stored in the SecureKey Applet.  This process is completely invisible to the user.  When authentication is successfully completed, a secure, encrypted session is established between the user and the online service.

The SecureKey solution also enables a new channel for managing deployed cards, by providing a secure mechanism to push scripts onto existing EMV and other smartcards.  This enables remote delivery of secured applications such as remote PIN reset and transit or prepaid card top-up.

The SecureKey solution is card-agnostic and interchangeable, and may be used with a wide variety of card form factors including MasterCard PayPass and Visa payWave, NFC compliant mobile handset or any other contactless form factor that supports proximity (ISO/IEC 14443) or NFC (ISO/IEC 18092). Our unique technology is being built into desktop and laptop computers, as well as next generation NFC-enabled tablets and mobile phones, creating a vast network of secure “terminals” to read and interact with chip-based cards, virtual cards, and cloud-based electronic “wallets.”

1 Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.
2 Javelin Strategy and Research, “2011 Identity Fraud Survey Report,” February 2011
3 “Facebook sees 600,000 Compromised Logins Per Day,” posted by Graham Cluley of Sophos.
4 Cryptography is the practice of techniques for secure communication in the presence of third parties, usually by encrypting or converting information from a readable state to apparent nonsense.

SecureKey Technologies Inc.
1.416.477.5625