A login case

There are a lot of methods to authenticate a user before he or she can use online banking services. In Pakistan, banks commonly use user name and password to authenticate web users. This method has quite weak security and so banks are unable to offer many services online which if they offer will definitely help them growing their business. Other methods that are being used across the globe in this sector include PIN/TAN list, OTP, EMV card reader, Mobile One Time Password, and Smart Cards etc. These all have their drawbacks of being expensive, not much secure or difficult to maintain by businesses and by end users. Mobile PKI in comparison offers a very easy to use and highly secure mechanism for digital authentication. It gives a user or service provider security, ease of use, mobility, low usage cost, low maintenance and the most important legally qualified way of authentication.

Digital authentication with Mobile PKI is a very simplistic case to understand how wireless public key infrastructure works for user.

A mobile PKI authentication system involves mobile signature service provider and certification authority in addition to cellular service to convey short messages to user.

Following is a typical flow that completes a authentication for web bank login,

Web bank login

1. User opens web bank page
2. User enters its mobile number as id and submits
3. Bank receives the message, confirms that user is registered to its system and sends the message to MSSP to authenticate using mobile PKI
4. MSSP prepares an authentication message and sends it SMSC to deliver it to end user
5. SMSC sends the message to end user mobile
6. Mobile PKI client receives the message and asks user for confirmation
7. Mobile PKI client generates an authentication response signed by the private key and sends it back to SMSC
8. MSSP receives response from SMSC
9. MSSP validates the signed content with the help of certification authority
10. MSSP returns response with authentication result to web bank application
11. Web bank authorizes access or block it as per authentication result

The user sees following screens during this process to authenticate itself with mobile,

Authentication message at mobile client

The benefit for users and service providers are ample in mobile PKI system which include but not limited to,

1. No need to have long PIN/TAN list or complicated passwords for user
2. Perfect mobility as mobile phone is 24 hour companion now a days
3. Fully secure transaction
4. Cost effective for banks in comparison to other mechanisms
5. New business channel for telecom operator

The above case is for web bank login scenario but it is similar for almost all types of login requirements e.g. VPN access, mobile banking etc.

Mobile financial services!

Mobile financial services are very hot topic in Pakistan these days and there are many initiatives already thriving or trying to grab the initial market share in this sector. Telenor's easypaisa, UBL orion, Mobilink's Genie and similar services are trying to attract consumers attention. These services are mainly relying on their internal secure mechanism to deliver these services in collaboration with the financial institutes they have partnered with. The very basic deficiency in such a service is lack of openness for other parties and it creates unnecessary fierce competition among market players to grab their share. In case of telecom operators, it is already established that Pakistani market can not afford presence of five operators and ideas of mergers are not far fetched anymore. These mergers occur or not it is clear that at least these financial services need to be merged or work together as having one or more services per telecom operator would not support any business. 

Integration of financial services is only possible with the help of digital signature which invites public key infrastructure to play its part. PKI is now an established standard and legally valid signatures in EU and many part of the world. The draft released by State bank of Pakistan also recommends PKI to be core part of financial isntrument. Mobile PKI is also not a new concept anymore and successful commercial launch of Turkcell mPKI has removed any doubts about its complexities whatsoever. Consumers need mPKI enabled SIM to carry out digital signing in presence of supporting software at service provider's domain. These mPKI enabled SIM are not expensive to afford and their price becomes negligible when we talk about millions of users. And last but not the least, the whole signing experience is very simple and appealing to consumer. The initial cost of having such an eco-system can be a bit higher but rate of return is not that bad. Additionally, revenue sharing schemes can also simplify costs for everyone.

A typical mPKI system consists of apart from end users 1) telecom operator(s) 2) a trusted service provider 3) financial institution(s) and finally 4) application providers which make interesting applications available.

The mPKI system is good for everyone and creates a real supporting business environment where all of stakeholders receive benefits of its existence,

1)    End users find an exciting service that gives a secure and convenient way of completing transactions

2)    Telco gets business from this model as its somewhat leveraged network service is being used and mainly by the users who actually mean business

3)    Banks suddenly find a huge number of new customers who can use their financial services

4)    Application providers find a platform to sell through their exciting and innovative applications

Some example applications include but not limited to mobile payment, mobile money transfer, branchless banking, corporate login, stock trading, submitting tax returns, and many more. Actually, the number of applications for such a service is only bound by the imagination.

In conclusion, this is the right time for financial institutions across Pakistan to sit together along with cellular operators and trust centers to carve out a transaction integrity and security model based on mPKI system. This will not only help boost local economy by promoting businesses but also give international investor a confidence that is needed to increase their participation in business development in Pakistan.