OTP for SWIFT Authentication
Background
SWIFT is already used by nearly all the international banks worldwide, starts from the year of 2016, it launched some security tools to protect its customers’ SWIFT access, among them 2-Factor Authentication (2FA) is one of the most important ones.
Ever since Alliance Access version 7.1.20, 2FA is mandatory for all users, which means to login to Alliance Access, besides the user name and the static password, a user also has to into a one time password (OTP) code. And currently, the SWIFT 2FA only supports authenticator mobile app, but some bank may not allow their employees to use their own mobile phones, and some employees may don’t want to use their own phones for work.
Solution
Our NFC OTP tokens and OTP cards could be used for SWIFT 2FA, with our tokens/cards, a user can login to SWIFT service (like Alliance Access) without bringing his own phone, the enrollment process would be like below:
1. When a user sets up 2FA for Alliance Access, it will display a QR code
2. The user can use our Authenticator mobile App to scan that QR code
3. Connect the our Authenticator mobile App with our OTP token/card through NFC
4. Program the OTP information into our OTP token/card
5. Enter the 8-digits OTP code generated by our OTP token/card to finish
After the enrollment process, no mobile phone will be needed to login to Alliance Access, our token/card will work as the second factor for users to authenticate to SWIFT 2FA.
OTP Seed Programming Solution
Background
OTP tokens (and OTP cards) are already widely used for 2FA by banks, government agencies and even end users in their daily lives to protect their bank accounts, work environments and online services such as Facebook, Dropbox, etc. The 6-or-8 digits ever-changing code (usually every 30 or 60 seconds) can efficiently prove the user’s identity, and more importantly, since each code can be used for one time only, OTPs are not vulnerable to replay attacks.
Each OTP token/card usually has a pre-loaded/programmed secret key (also called seed), based on which that 6-or-8 digits code will be generated/calculated. But for some customers (such as government agencies, or banks), they may have security concerns about allowing the token vendors to get in touch with the seed information.
Solution
As the world leading identity provider, can solve their security concerns by offering not just one but three onsite seed programming solutions for different customer requirements, to give them the total control over their seed data:
1) Programming seeds to our OTP tokens/cards with a dedicated contact-less Seed Programmer
With the reader-liker our Seed Programmer you can (re)program our OTP tokens/cards all by yourself, without the need to disassemble the tokens. The Seed Programmer can use our propitiatory contact-less protocol to communicate with the tokens/cards, to program the seeds and validate tokens/cards. Together with our Seed Management system you can manage the whole seed life cycle, from seed generation, to seed storage, seed distribution, seed transporting and seed programming, you can fully control the whole process of the seed’s production, and thus achieve the highest security.
This solution suits banks, government agencies or big corporations with dedicated administrator or operators to handle the whole process of seed generation, seed programming and token/card distribution.
2) Programming seeds to our OTP cards with NFC-enabled Mobile Phone or Card Reader
More and more professional software and online services are using 2FA with OTP to protect their users/customers, usually they can generate a QR code which contains the seed information, a user can use a NFC-enabled Android phone to scan that QR code and then program the seed data into our NFC OTP Cards, thereafter the OTP cards could be used as the second factor to identify the users.
For people those who don’t have NFC-enabled Android phones, our can also offer you the choice to do the seed self-programming by using a NFC Card Reader, the operational process are similar to the one with NFC phones, the only difference would be: instead of using the smart phone to scan the QR code, you can use our PC software to get the seed data.
There is a long list of supported services for this solution, such as SWIFT Alliance Access, Citrix Netscaler, IBM Verify, Docusign, TeamViewer, Facebook, Dropbox, Gmail and so on and so on.
3) Programming seeds to our OTP tokens without extra devices
Our optical OTP token is a revolutionary device, embedded with eight optical sensors, with which the token can read seed information from a flickering image displayed on a PC or even smart phone, and then do the seed programming all by itself.
That flickering image can be easily integrated into online banking pages or corporate’s web portal, and one optical token can support up to five applications/accounts, which means the user can use one single token to protect his bank account, work environment, and also some daily online services.
Since the optical token doesn’t need an extra device for the seed programming, it could be the perfect solution for customers who don’t want to (or is not allowed to) use their personal device.
DCVV Solution
Background
A card not present transaction (CNP) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. It is most commonly used for payments made over Internet.
Card not present transactions are a major route for credit card fraud, because it is difficult for a merchant to verify that the actual cardholder is indeed authorizing a purchase.
The card secure code (CVV in most case) system has been set up to reduce the CNP fraud, however it is still insecure to rely on a static 3(or 4) digit number to protect cardholder’s property.
In this case, a solution of constant change CVV code will greatly improve the protection against CNP.
Solution
The DCVV (or DCSC) card is a credit card with a screen to show an time based one time password. Unlike normal OTP token/card are using OATH standard, the DCVV is following VISA/MasterCard/UnionPay Dynamic CVV requirements.
To bring a DCVV solution into the market, require 3 key parts:
1) Physical card
The physical DCVV card is a security device with standard ID-1 card form, which contains:
- A smart card chip to download the financial applets;
- The complete card surface printing (without the embossment fonts);
- The hologram and signature panel;
- A flexible circuit board with battery and screen to show the DCVV value;
- The card will requires cold lamination process for the manufacture part.
We can do the whole manufacturing process and provide the physical card.
2) Personalization
Normally, all credit cards requires personalization before final issuing. In this stage, the bank will find an personalization provider, who will download the sensitive data into the card.
In normal credit card case, this process will download the credit card applet with the cardholder info into the card, and do the embossment etc. In DCVV card case, there will also be requirements about download the dynamic CVV info into the card, including the secret key and the time.
Since the card is using special communication protocol, in this part, we will provide devices and guidance to help the personlization provider to interact with the card.
3) Authentication System
There will be a back-end server required for the authentication of the DCVV, normally it will be a extra authentication compare to the standard credit card transaction.
The bank server will send the related info to the authentication server and wait for the reply once it received the payment requirement. The Authentication system is our modified OTP server which supports the DCVV’s algorithm.
We will help the bank to deploy the authentication system, and provide guidance for the possible customization on the bank’s existing system.
System Logon Solution
Background
PKI tokens are already widely used for 2FA in multi-fields, banks, enterprises, government agencies and even end users in their daily lives to protect their online transactions, document signing, online tax and other services. Another important feature is that protect user’s system logon.
Logon to system maybe the most common thing to do every day, users need to input the password every time and also may worry about to lose it or not secure if the password is too simple, so traditional password is low-efficiency and low security level, obviously a more secure and easier method could help users to enhance their work efficiency and security. FEITIAN’s system logon solution bring such method to users.
Solution
As the world leading identity authentication provider, can solve users concerns by offering system logon solution for PKI products in Windows and Mac OS, the solution will work with 3rd party software together:
Windows system
Work with EIDAuthenticate (from https://www.mysmartlogon.com/), as most logon programs require specific smart card driver, storage facility on the smart card itself or user process authentication, this program is the only one which does the authentication inside of the security kernel of Windows (lsass.exe) : even with signature only card, your data is safe. For example, EIDAuthenticate is the only solution supporting natively the windows “force smart card logon” policy, used to secure the local administrator accounts in data centers or to comply with HSPD-12.
Our PKI tokens provide secure medium to store the system logon digital certificate which generated by EIDAuthenticate, and implement Windows system logon with token PIN after finish the configuration of EIDAuthenticate. A smart card account will be shown in the Windows logon interface when restart the system and plug ePass PKI token, just click the account and input the token PIN to logon.
Mac OS with Our PIV
Mac OS already supported PIV natively, just enable the pairing function in system, and plug PIV token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.
Mac OS with Our GIDS
Work with OpenSCToken (re-build by us) to implement Macos smart card logon. OpenSCToken is actually use CryptoTokenKit which is Apple's take on programmatic access to smart cards and other tokens. It provides both low level access to tokens (comparable with PC/SC) and high level access for system wide integration of a token (comparable with Windows Smart Card Minidriver).
Our GIDS token/card is able to work with OpenSCToken application, just install the OpenSCToken which rebuild by us in Mac OS, and enable the pairing function in system, and plug GIDS token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.