Strong Adaptive Multi‐Factor‐Authentication
XignQR introduces a smart mechanism for authentication – called adaptive multi‐factor authentication (A‐MFA) – that makes use of the user’s and the service provider’s preferences. The authentication factor can be dynamically negotiated during the authentication process. It is possible that a login into a website can be done by scanning the QR Code without any further interaction, only exposing a unique user‐pseudonym for that service. But if a user wants to unlock a car‐sharing vehicle, he can be forced to enter a PIN or to use a biometric factor or even a combination of several factors.
Authentication as a Service
Add to that, the infrastructure of the XignQR system cannot only be used to authenticate users, but also to authenticate any system against another. That means XignQR can also be applied in the context of the Internet of Things and Industry 4.0.
80.1.3 Affected Markets
National borders do not limit today’s markets. Trading has developed to a globally interacting eco system. As part of the digital transformation the EU released the eIDAS regulation [4]. The eIDAS regulation enables the digitalization of all paper‐based processes for national and international trading. XignQR relying on digital signatures and smartphone based A‐MFA in combination with eIDAS, enables usable mobile digital signatures for legally signing documents, transaction, bills and other data in the cloud. That leads to a completely new set of use cases, simplifying our private and business lives.
80.2 Concepts
This chapter focuses on some of the core concepts of the XignQR system, which enables the development of new markets, such as mobile shopping but also secures existing markets such as Online‐Banking, Online‐Shopping and authentication in general. The main idea behind XignQR is the separation from the user data that is necessary to fulfill a service, the identification of the service and the authentication process itself. The general idea is to have a QR Code to dynamically a service, the users personalized smartphone to authenticate the user and the trusted third party as trust anchor s. Fig. 80.2.
Fig. 80.2Concept of the components interaction
80.2.1 Requirements
A modern and secure authentication system, must fulfill several requirements to be widely accepted. Since acceptance is a requirement for the use of the system itself, we’ll list the most important requirements: High Level of Security and low complexity
Balance between security and usability
Simple integration in existing systems
Interoperability, flexibility and maintainability
Protection of data and data thrift
No additional hardware requirement (such as card readers)
Transparency and informational self‐determination
Simple to manage
XignQR addresses these requirements through the use existing technologies. The wide spread of smart devices and the XignApp, as a part of the XignQR system, enables the use of the QR code as an entry point for authentication and thus the elimination of passwords in lots of different scenarios.
80.2.2 Registration & Identification
Digital identities build the foundation of authentication in the digital world. These identities are generated when the user registers with a service provider and consists of parts of the users real identity. Since the validity of data is essential to the service provider, the collection of data in a trustworthy manner is crucial. The trustworthy collection of data can be referred to as identification and is one of the most important features provided by the XignQR system. XignQR supports four Levels of identification, the trust levels. Each level distinguishes itself from the others by the trustworthiness of the collected data.
Level 1 – Not Verified
The user types in his personal data manually. The data has no trust anchor and is not verified. As a trusted third party does not verify the data, Level 1 is the lowest trust level supported by XignQR.
Level 2 – E‐Mail Verification
The user verifies his identity via e‐mail. During registration the user has to provide his e‐mail address to which the system sends an e‐mail containing a special link. Following this link verifies the possession of the provided address and thus the identity of the user. Since the only verified data is the e‐mail address itself, this level is suitable for authentication at blogs or social networks, but not at e‐business websites.
Level 3 – VideoIdent
The user proves his identity via video chat. A trained staff member that is connected to the user through the video chat application checks the user’s identity. The German Federal Financial Supervisory Authority (BaFin) approved this form identification in 2014 and today several businesses emerged, providing or using such mechanism to identify their users at registration. The identification via VideoIdent is used especially in Germany, since on one hand the eID‐functionality of the new German ID card, which enables the id card’s ability to be electronically read, is not activated in most of the issued cards. On the other hand many service providers do not support eID as the required security infrastructure is very expensive. The use of VideoIdent only results in level 3 trust because the person checking the identity of the user can make a mistake at some point, which results in accepting false data or manipulated id cards.
Level 4 – eID
The user proves his identity via the eID‐functionality of his id card. Since the data read from the card is sovereign information and the process of collecting the data cannot be prone to human error, it is very trustworthy [5]. Registration via the ID card results in the highest trust level supported by the system, because the design of the ID card guarantees confidence in the data read. At this point we have to add, that the security of and the confidence in the data is achieved through a trade‐off in usability, because every workstation must have a NFC card reader and an eID‐client installed.
The data that is collected during the registration and identification process is converted into a distinct ID, the so‐called derived identity. The derived identity can be represented in different formats, one of which is a representation as a digital certificate, which is used by XignQR. The digital certificate (i. e. the derived identity) is installed on the user’s device during the personalization process and is subsequently used to authenticate against the system.
Personalization
The personalization process takes place right after the registration is completed. It consists of several stages involving the generation of digital certificates by a Public Key Infrastructure (PKI), binding the certificates and cryptographic keys to the device and storing necessary information in the system and on the device.
80.2.3 Strong Adaptive Multi‐Factor‐Authentication (A‐MFA)
Authentication is achieved through interaction of all components of XignQR. This way XignQR offers strong and usable MFA providing several features such as pseudonymity to prevent tracking of users across multiple domains or services.
New Factors for Multi‐Factor‐Authentication
Additionally to the known factors possession, knowledge and inherence, XignQR realizes new combinations of factors. Through the cryptographically bound hardware token (XignSC) a new scheme called multiple possession is introduced by which the requirement for input of a PIN is eliminated. Authentication via PIN and VideoIdent can be requested for access management in high security environments or for critical processes. During authentication the user must then present his ID card and type in his PIN to accomplish the process.
Multi‐Layered Security
Since the system counts on smart devices as a personal authentication device, the sensors of the device can add to the security of the authentication process. In general the information used, is called contextual information and consists of GPS dat
a, network information and data of other sensors such as the gyroscope or the acceleration sensor. The information is processed and analyzed by the system to increase the trust in the authentication process. The processed information can be used to detect fraudulent behavior and forms the base for the request of additional authentication factors during authentication.
Choose the Required Authentication Factors
The user can choose the authentication factors, which are required for the use of the XignApp. For non‐critical applications he can for example forgo the use of PIN and is thus able to use the XignApp without further interaction. That means the user can set its own personal security level. While this might be beneficial for the user, the security of a service provider can also be jeopardized through this mechanism. As a result the use of the right authentication factors depends on both parties, the user and service provider. If a user’s personal security level is too low, the service provider is able to enforce a certain security level for the authentication.
Smartphone as a Secure Display
While using password based authentication mechanisms the user has no insurance that the display shows correct data. XignQR provides a secure display using the smartphone and the XignApp. The XignApp shows information about the service provider. Additionally the user can choose which personal information is transferred to the service provider. If the authentication takes place in the process of carrying out a transaction, the XignApp also shows the transaction data, which will be processed by the server. s. Fig. 80.3. The user can verify the validity of the shown data. Any tampering can thus be recognized and the void transaction can be cancelled.
Fig. 80.3XignAPP with data to be verified before signing. Example payment transaction
80.2.4 Beyond Authentication
For the process of digitalization it is necessary to have trusted and legally bound processes. The foundation for legal digital processes is electronic signatures. As mentioned the European Union has released the eIDAS regulation. The eIDAS regulation allows two new kinds of electronic signatures. The first on one is the creation of electronic seals. Electronic seals are signatures bound to legal instead of natural persons. The second innovation is the possibility to create legal electronic signatures in the cloud, the Remote Qualified Electronic Signatures (rQES).
Remote Qualified Electronic Signatures With rQES the user has the possibility to digitally sign contracts and documents and to checkout shopping carts of online shops while on the go. Due to that fact many new use cases are emerging. The creation of legal electronic signatures needs a very high level of trust and confidence. Therefor strong identification and authentication is mandatory. XignQR with its smartphone‐based A‐MFA offers an authentication form that allows creation of rQES. Furthermore the QR code initiated authentication process matches the flexibility and usability that is necessary to reach many users and service providers.
For the user and for the service provider the sequence for creating a rQES is very similar to the authentication process. The service provider sends the data that should be signed to the XignQR signing service and receives a QR code. The user scans the QR code with his XignAPP. To be able to validate the data, the XignApp displays the corresponding information to the user before signing. s. Fig. 80.3. If the user accepts the data and initiates the signing process the strong authentication process will be started. On success the data will be signed on the server‐side and transmitted to the service. For the user the whole process is as easy as the authentication process.
80.3 The Use Cases
This section focuses on the use cases that are covered by the XignQR system. The use cases are categorized and distinguished by different sectors.
80.3.1 Governance
Over the years governments started offering certain governmental services to their citizens to relieve the corresponding agencies of their workload, which in turn means a reduction of costs. The provided services range from the reservation of license plates to the notification of a change of one’s residential address. To fulfill their services these institutions have to identify the user. Since in Germany the majority of citizens refused to activate the eID functionality of their id cards only a few citizens are able to use the governmental services, because the agencies don’t support any other authentication mechanism.
With XignQR agencies are able to provide services all users alike, as the data collected in level 3 and 4 is sovereign and thus trusted.
80.3.2 Enterprise
In an enterprise there are lots of tasks that require authentication. Employees must authenticate to gain physical access to the premises of their workplace, typically realized via a smartcard‐based employee ID cards. The employee then has to log into his workstation using his password and username, which were generated by the IT department of their employer.
Besides recovering lost and replacing stolen passwords, the IT department also has to enforce change of these regularly which adds to the complexity of IT management. The larger the enterprise the larger complexity dealing with passwords. Since XignQR can be delivered as on‐premise solution, these complexities can be dealt with easily, because XignQR does not rely on passwords, but on a Public Key Infrastructure. Lost or stolen credentials can be revoked and replaced easily with a single click.
Alongside authentication, signatures also play a major role in larger enterprises. There are contracts, transactions or vacation requests that have to be authorized by a superior. Problems occur if one or more superiors are not available, due to illness or external meetings.
These problems are conquered using XignQR. Relying on asymmetric cryptography the concept of digital signatures is used throughout the whole XignQR system. Using the smartphone enables superiors to easily sign, which has to be signed. Additionally the amount of paper used, can also be drastically reduced, hence enabling digital transformation.
80.3.3 Financial Sector
In the financial sector every single process needs a high level of confidence. Starting from the access to the online banking portal over stock trading to all kinds of direct trading from B2C, C2C, and B2B.
In particular the security level and the usability level can vary in a very broad range in the financial sector. One the one‐side there are high‐value transactions that have to be confirmed by more than one person and must strictly bound to a user and on the other‐side there are low‐value transaction, where the user wants the transaction to happen seamlessly.
XignQR with its ability to manage the level of trust between security and usability, is able to answer this challenge.
For example, a transaction that transfers a high value could be secured with the combination of three factors. Therefor the signature will only be created if the user is in possession of the XignAPP, knows the corresponding PIN and a face‐recognition algorithm has verified the user’s identity by the use of the smartphone camera.
A low value transaction could be signed using the XignAPP in combination with a PIN omitting the confirmation display.
80.3.4 xCommerce
Commerce and shopping use cases are depending on transaction and user attraction. In the online environment a shop must be very easy to use. In the best case the user is able to purchase products without the need of long registration processes. If the user has to authenticate itself against the shop, the authentication failure rate must be as small as possible. If that criteria are not matched the shop will miss spontaneous purchases.
XignQR enables an online shop owner to focus on its products, instead of the user‐management processes. A XignQR user can fill his shopping cart and start the direct checkout by scanning the displayed QR Code. The items of the shopping cart will be concatenated with the users personal data and will be signed using the user’s personal cryptographic material. The shop o
wner is now able to invoice. With XignQR e‐ and mCommerce and retail trade can be easily connected. The QR Code cannot only be generated dynamically. A static QR code can be used to identify items instead of service providers. An example in which retail trading and online commerce get in touch is the window shopping scenario. s. Fig. 80.4.
Fig. 80.4QR Codes as bridge between retail trading and online commerce
80.3.5 Online – X
Most users will use XignQR for their daily online life that consists of logging into blogs, social networks or other platforms, that don’t need much of user information. Most sites operate on a single verified information, i. e. the email address. Though these sites pose little to no harm to the user if credentials are lost or stolen (financial loss or endangerment of personal health), no one wants attackers to harm one’s online reputation. XignQR helps service providers such as blogs, platforms or other websites to prevent the taking over of accounts by attackers. XignQR is designed to be easily integrated into websites via several protocols SAML or OpenID Connect and facilitates the protection of user accounts.
Digital Marketplaces Unleashed Page 122