A login case

There are a lot of methods to authenticate a user before he or she can use online banking services. In Pakistan, banks commonly use user name and password to authenticate web users. This method has quite weak security and so banks are unable to offer many services online which if they offer will definitely help them growing their business. Other methods that are being used across the globe in this sector include PIN/TAN list, OTP, EMV card reader, Mobile One Time Password, and Smart Cards etc. These all have their drawbacks of being expensive, not much secure or difficult to maintain by businesses and by end users. Mobile PKI in comparison offers a very easy to use and highly secure mechanism for digital authentication. It gives a user or service provider security, ease of use, mobility, low usage cost, low maintenance and the most important legally qualified way of authentication.

Digital authentication with Mobile PKI is a very simplistic case to understand how wireless public key infrastructure works for user.

A mobile PKI authentication system involves mobile signature service provider and certification authority in addition to cellular service to convey short messages to user.

Following is a typical flow that completes a authentication for web bank login,

Web bank login

1. User opens web bank page
2. User enters its mobile number as id and submits
3. Bank receives the message, confirms that user is registered to its system and sends the message to MSSP to authenticate using mobile PKI
4. MSSP prepares an authentication message and sends it SMSC to deliver it to end user
5. SMSC sends the message to end user mobile
6. Mobile PKI client receives the message and asks user for confirmation
7. Mobile PKI client generates an authentication response signed by the private key and sends it back to SMSC
8. MSSP receives response from SMSC
9. MSSP validates the signed content with the help of certification authority
10. MSSP returns response with authentication result to web bank application
11. Web bank authorizes access or block it as per authentication result

The user sees following screens during this process to authenticate itself with mobile,

Authentication message at mobile client

The benefit for users and service providers are ample in mobile PKI system which include but not limited to,

1. No need to have long PIN/TAN list or complicated passwords for user
2. Perfect mobility as mobile phone is 24 hour companion now a days
3. Fully secure transaction
4. Cost effective for banks in comparison to other mechanisms
5. New business channel for telecom operator

The above case is for web bank login scenario but it is similar for almost all types of login requirements e.g. VPN access, mobile banking etc.