Cidway Secure Mobile Access Transactions Short 05 12

Discover the future of security on www.cidway.com

SECURING ACCESS & TRANSACTIONS ON / FROM MOBILE

THE LEVEL OF SECURITY YOU WANT TO ACHIEVE

THE LEVEL OF CONVENIENCE THE USERS WANT

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 3

Mobile Access & Transactions Today

Static PIN Code on the Mobile application

Convenient but NOT secure

No Transactions’ signature !

Scenario 1

Mobile application + OTP from hardware Token or SMS

Secure, but NOT convenient

Expensive for the Bank

Potential Transactions’ signature !

Scenario 2

+ or SMS

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 4

Mobile Access & Transactions with CIDWAY

Transparent 2FA, MA & TDS

Convenient & Secure

Embedded Cidway mSDK

ü  Improved Security, using time-based OTP •  Strong Authentication (2FA) •  Mutual Authentication (MA) •  Transaction/Document signature (TDS)

ü  Simplified User Experience •  Just a PIN to input •  All security features transparent to the User

ü  Decreased Total Cost of Ownership •  No additional hardware components •  No additional software application •  Less Support

ü  Simplified Deployment •  Only one application with Cidway mSDK embedded

ü  Extended Scope •  mBanking •  mCommerce •  mPayment •  mHealth •  Mobility •  Etc.

cured by CIDWAY

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 5

Secure Mobile Applications & Simplify User Experience

Improved Security •  Secure Login with real time-based OTP •  Sign Transactions/Documents/Data with time-based TDS •  Mutual Authentication (Server authenticates to Mobile) with time-based OTP •  Real time-based OTP (1 second increment) with time-stamping •  Data encryption within SSL tunnel (in case it’s compromised) using synchronous OTP (without transmitting keys over the

Network) •  No-PIN patented protection (PIN Code not stored on the mobile, never transmitted over the network, neither stored on the server) •  Embedded Secure Virtual Keyboard •  Jailbrake/Root detection – even prevents Xcon (iOS) •  Anti-cloning solution (based on signed Logs & hardware binding) •  Secure Download from mobile public stores (to prevent a rogue application to steal User’s credentials) •  Secure provisioning process on the fly •  Support of multiple-devices for one User with multiple keys (even if same PIN Code used)

Simplified User Experience Enable high-level security without additional components/elements, in a transparent way for the User •  Easy Login (secured by a transparent 2FA & Mutual Authentication): just input a PIN Code •  Easy Transaction/Document Signature (signing the entire Transaction Data): just input a PIN Code, no additional data to input •  Easy Registration Process & Renewal process (when phone is changed/lost/stolen) •  Automatic & transparent time-resynchronization, even if User changes the clock of his phone •  Multiple Devices with same PIN Code (without additional security risks) •  Multiple Users on the same device

Seamless Integration Simple integration of Cidway SDKs into existing or future Applications •  Integration of MobileSDK into existing mobile application (native mSDK available for all platforms) •  Integration of ServerSDK (available on any OS, agnostic of Databases & Users Directory) into existing Application Server or

Authentication Platform •  Professional Services & Training readily available from Cidway with significant experience •  Potential adaptations/modifications, as it’s Cidway’s own source code

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 6

APPLICATION SERVER

(mBanking, mCommerce, mPayment, Mobility, etc.)

Integration of CIDWAY MobileSDK into existing

Mobile Application

Integration of CIDWAY ServerSDK into existing Application Server or

Authentication Platform

Integration of CIDWAY SDKs

1   2  

Available on any OS, agnostic of Database & User Directory

CIDWAY mSDK

Cidway ServerSDK

Cidway Gaia Server

WebServices

Interface of CIDWAY GaiaServer with existing

Application Server OR

Integrate ServerSDK or Interface GaiaServer

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 7

User Experience & Process : Secure Access & Transaction/Data Signature Th

e si

mpl

est U

ser E

xper

ienc

e

Fully

tran

spar

ent f

or th

e U

ser

SECURE ACCESS

TRANSACTION SIGNATURE

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 8

Business Cases

mBanking ü  Strong Authentication ü  Mutual Authentication ü  Transaction Signature ü  End-to-end data encryption ü  Anti-cloning ü  Jailbrake/Root detection

ü  Secure & simple authentication of Users ü  Multiple Users per device ü  Document Signature (including data

integrity & time-stamping) ü  Complementary to MDM

Mobility

ü  Secure mCommerce transactions (Transaction Signature, protects also CC data)

ü  Simplify User Experience ü  Automate 3DSecure transactions on

Mobile

mCommerce ü  Secure Access to medical records ü  Sign data when records modified and/or

added ü  Authenticate patient ü  Secure patient data communication

mHealth

© 2012 CIDWAY Security SA. All rights reserved – www.cidway.com 9

OK

ü  What are the risks if I loose my phone ? ü  What are the risks to download a rogue application from a mobile public store ? ü  How easy is it to activate the application and what are the risks during the process ? ü  Is the User Experience really easy ? ü  What are the risks of brute force, man in the middle and other sophisticated attacks ? ü  Did the application pass penetration tests ? ü  What are the coding techniques to guarantee top security ? ü  Are they credentials transmitted over the air ? What are the risks ? ü  Is it real time based ? With time-stamping ? ü  What happens when the user changes the phone’s clock ? ü  Does it work on all Mobile platforms ? ü  Does the solution considered supports real time-based : OTP, mutual-authentication & transaction

signature ? ü  Does the solution supports Jailbrake/Root detection (even with xcon on iOS) ? ü  Does the solution embeds a secure virtual keyboard ? ü  Does the solution supports end-to-end data encryption within SSL channel ? ü  Does the solution prevents from Cloning ? ü  Is the secret key protected from mobile backups usually not encrypted and potentially stored on the

cloud ?

FAQ on Mobile Authentication Cidway Mobile technology is the answer