A Pragmatic Online Authentication Framework using Smart Cards H. Karen Lu, Asad Ali, Kapil Sachdeva 1 Gemalto Austin, Texas, USA {Karen.lu, asad.ali}@gemalto.com Ksheerabdhi Krishna Gemalto La Ciotat, France Ksheerabdhi.krishna@gemalto.com Abstract - Like most security systems, designing a secure two-factor online authentication framework is hard, but designing one that is also intuitive to use and easy to deploy is even harder. While a secure, but overly complex framework may offer little security in the end since it never gets used, an overly simplistic one that focuses merely on usability may gain initial acceptance but will inevitably lead to data breaches. To address this design paradox, we present a new online authentication framework that provides security, usability, and ease of deployment. This framework combines the proven hardware security of smart cards and the universal ease of web access through browsers, without imposing the deployment and usability complexities generally associated with conventional smart card systems. The resulting authentication solution is applicable to existing smart cards already deployed, intuitive for users, and convenient for service provides to both develop and maintain. Keywords-Authentication; security; smart cards; usability. I. INTRODUCTION Internet has undoubtedly been a phenomenal success, dominating every facet of our professional and social life. However, this success has partly come at the expense of a continuous barrage of security attacks against both users and service providers. Attackers employ various mechanisms to steal user’s credentials. Some use social engineering to lure naïve users into revealing their credentials [1], while others leverage network security flaws and web application vulnerabilities to attack web servers and their databases [2]. These attacks compromise confidential user data. Some of this data can actually be user authentication credentials that enable attackers to impersonate users and gain subsequent access to additional user data and services. This is generally referred to as identity theft. Such theft is possible partially because a vast majority of online service providers still rely on username and password, a weak single-factor authentication method. Furthermore, since users tend to use the same password on multiple service providers [3], it amplifies the potential damage resulting from a stolen credential. _____________________________________________ 1. This work was completed while Mr. Sachdeva was with Gemalto. Mr. Sachdeva is now working with HID. The weakness of password based authentication solutions can be addressed by using an authentication method that relies on multiple factors for verifying a user’s identity. For example, in addition to password, the what-you-know factor, the authentication method may also require a what-you-have factor in the form of a separate physical token, or even a what-you-are factor in the form of biometric information. While there is some social skepticism around the use of biometric information, the use of dedicated physical tokens to provide a second authentication factor that compliments passwords is gradually gaining acceptance with service providers dealing with high value transactions [4]. In general however, we still see a lot of not-so-secure systems in use. One reason for this could be the inertia of status quo; it is always hard to change an existing framework. Another reason is what we call economies of convenience. This notion is somewhat analogous to the economies of scale, a microeconomic term that refers to the cost advantages that a business obtains due to expansion. Similarly, there is also a cost advantage to having systems that are extremely convenient to use, even if they are not as secure. Enterprises can then develop risk models of dealing with data breaches, when they happen. As for the average end- users, they generally turn a blind eye to security vulnerabilities as long as the systems they use are convenient, and security threats not imminent. However, a continued increase in the intensity and frequency of cyber attacks is beginning to challenge these well established economies of convenience. Enterprises will eventually mandate stronger security measures once it makes better economic sense for them to lower the cumulative cost of data breaches by reducing the risk instead of managing this risk with their current models. We can reach this watershed moment either through an exponential increase in the number of data breaches, or by designing security systems that are more convenient to develop, deploy, use, and manage. It is the intent of this paper to propose a solution for the later. The rest of the paper is organized as follows. Section II describes why smart cards are excellent candidates for use as authentication tokens. Section III describes the existing smart card infrastructure and explains how it hinders wide spread adoption of smart cards. Section IV introduces SConnect technology that addresses the issues identified in Section III. Section V describes a two-factor online authentication solution based on SConnect and 84 SERVICE COMPUTATION 2011 : The Third International Conferences on Advanced Service Computing Copyright (c) IARIA, 2011. ISBN: 978-1-61208-152-6