Wallets and Authentication using Phone-based OOB-schemes

Hi,
Although it would be cool with a browser-based wallet, it hasn't happened.
What has happened and on a major scale as well is using mobile phones as OOB (Out Of Band) wallets.

AFAIK, the biggest e-commerce network of all, China's Alibaba uses mobile phones as a
confirmation method which is more convenient and securer than CNP (Card Not Present).

Since browser plugins have been "outlawed", Sweden's BankID  also turned
to an OOB-scheme which is far from perfect but allows them to use client-PKI in a
mobile container.  It works like this:
1.  The user creates a tentative logon using a claimed identity
2. The BankID app is used to hook into this session and provide a PKI-signed assertion
3. If the claimed and asserted identities match, the user is logged in.

I once created a variant of BankID which doesn't rely on hard-coded URLs and pre-authentication:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/QR-ID-presentation.pdf#page=3
https://play.google.com/store/apps/details?id=org.webpki.mobile.android

Given the complete standstill on SDO activities for marrying smart cards with the web,
using mobile phones in OOB-mode indeed turned out to be the right move!

Anders

Received on Tuesday, 10 March 2015 07:11:59 UTC