Alipay gives some serious market cred to Nok Nok Labs and the FIDO standard


Nok Nok Labs has announced that Alipay will use Nok Nok's NNL S3 Authentication Suite to authenticate payment users on future versions of the Samsung Galaxy S5. The NNL S3 technology will provide access to the Alipay Wallet application via the Galaxy S5's fingerprint sensor (which I hope that Samsung has fixed by now). That's a major win for both Nok Nok Labs, a Silicon Valley startup in business since November, 2011 - and for the FIDO Alliance, of which Nok Nok Labs is a founding member. FIDO is an industry consortium, launched in 2013, that provides a standard implementation framework for "post-password" authentication. Its stated mission is to get rid of passwords as the world's default authentication method, and replace them with something more secure, standardized, and suited to the emerging, multichannel IoT world. NNL S3 is a FIDO-compliant authentication management platform for operation by service providers (including enterprises), that's technically agnostic to the endpoint form of authentication. So it supports not only fingerprint biometrics, as with the Galaxy S5, but also voice biometrics, face biometrics, secure elements, trusted platform modules, removable tokens, and others (of which there are many).

I think the announcement wasn't timed real well, as it was completely overshadowed by the Apple Pay launch a couple of days earlier. However, this is also a very significant step in the global evolution of mobile payments. Alipay, often referred to as "China's PayPal" (although it's more appropriate now to say that PayPal is America's Alipay), has an existing mobile user base of 100 million, and 80 percent of China's mobile payments market share. And with Samsung commanding 12 percent of the smartphone market in China, we're talking millions and millions of users out of the gate for the new Galaxy S5. As sexy as Apple Pay is, Apple and its posse of partners have some way to go before they get anywhere close to Alipay's market weight.

Via The Paypers (sic)

Rabobank to sign online banking transactions with VASCO's CrontoSign


Rabobank is introducing VASCO's CrontoSign technology to sign online banking transactions. CrontoScan is basically a DIGIPASS token (Vasco's widely used OTP generator that authenticates users at login), with an added camera and new functionality. When the user sets up a transaction during a banking session, the bank server generates a color QR code, which is displayed on the user's computer screen. The QR code is a cryptogram of the intended transaction data. The user takes a picture of this with the camera on the token device. The device then decrypts the QR code and displays the transaction data as entered by the user, on the token device. The technology is claimed to be effective against MITM attacks (no security details are provided, so can't comment on that one way or the other, but it looks like a classic TAN technique) The CrontoScan technology was originally developed by Cronto, a UK startup which Vasco acquired in May, 2013. Cronto still maintains it's own website. The Rabobank version is branded as 'Raboscan'.

Via the Paypers (sic)

Authentication by waving things around


Taiwanese startup AirSig has come up with one of the more novel password replacement technologies that I've seen. It identifies you by the unique way you wave things around in the air. If the thing you're waving happens to be an AirSig enabled smartphone, then all you have to do is "write" the name in the air of whatever it is you want to access, and you're in. For example, for Facebook you'd write "FB". Kind of like air guitar, only you're writing instead of rocking it.

contact meAirSig's technology, Air Signature, uses g-sensors in the smartphone's onboard gyroscope to identify a user's personal shaking pattern.

Consumer takeup will be determined in large part by how many people aren't too embarassed to be seen, seemingly randomly, waving their arms around in the air as they go about their day. Count me out there, but I guess given the number of folks who think nothing of walking around while looking down at their phones, AirSig could have an audience of millions. Foxconn thinks so, and just invested $2 million in the company.

Here's a promotional video for Air Signature:

(Via TechCrunch)

New Host Card Emulation white paper from Smart Card Alliance


The Smart Card Alliance has published a new white paper on HCE titled HCE 101, which does a good job of analyzing the security pros and cons of HCE vs. "traditional" NFC, and of generally explaining how HCE works. Well worth a read if you're following the progress of this disruptive technology, which I'm doing with a view to how it's changing the payments space.

via Smart Card Alliance

Locks, keys, and passwords have all seen their heyday


When I first started paying attention to smartphone-based locks, I was worried about them being hacked and their batteries going dead. Still am. I initially thought that we would still be defaulting to physical locks and keys for some time to come. But it turns out that those are compromised as well, with usable replicas of some of the most secure keys - so-called bump keys -- now able to be 3D printed.

With passwords falling out of favor at the same time (for good reason), we're going to have to reinvent how we securely access things, both physical and virtual, in the future. Very interesting times are ahead for authentication and access management technology. I guess we'll end up with an electronic something or other with wearables, biometrics, device fingerprinting and data analytics somewhere in the mix, but I expect a good bit of trial, error, security incidents, and maybe a startup bubble between now and then. The key (as it were) will be to strike that magic and elusive balance between security, usability, speed, and cost.

via Wired