21. CIDWAY GAIA / SESAMI Product Line One server for multiple tokens SESAMI SlimTime based OTP Hardware token SESAMI MobileTime based OTP Software token for mobile phones. SIM enabled GAIA ServerAuthentication platform GAIA SDKAuthentication platform SDK SESAMI Mobile SDKTime based OTP Token SDK for mobile phones SESAMI SMSSMS based OTP for mobile phones SDK: Software Development Kit
24. Low on-going costCIDWAY SESAMI SMS FEATURES & CHARACTERISTICS Strong two-factor authentication No need for software installation or activation in the mobile No secret stored in the mobile User convenience – no need to carry any other device User can change his mobile phone time zone or time Easy management – no need to maintain stock and distribute hardware tokens Easy deployment, no need for tokens maintenance Works with any SMS enabled mobile phone or PDA OTP FEATURES 8 decimal digits (or optionally 8 hex-digits) Time-based combined with challenge-response SHA-1 algorithm Validity of few seconds (server parameter) Automatic time management by the server
27. Low on-going costCIDWAY SESAMI Slim FEATURES & CHARACTERISTICS Portable, personal and robust (3.2 mm thickness – credit card size) 2 line clear LCD display Replaceable battery (token’s data is not erased during battery replacement) Time based OTP – new OTP every second 8 characters length OTP (hex-decimal or decimal) Initialization through a secure two way IR protocol using the SESAMI initialization set Device protected by user-selected PIN (configurable parameter [0-15 tries]) Protection against token physical attacks (temper evidence) Protection against user physical attacks (stress PIN) Customizable operational parameters 12 operational buttons No need for reader or other equipment Customizable front panel
38. Mobile SDK for integration into any existing mobile application (*) S1-2009
39. CIDWAY Download (Sesami Mobile only) Download Over the Air (Push, Pull) eMail PC Download Pre-loaded Bluetooth Etc. Registration Options: Automatic WAP registration Manual user registration Download Site (sample)
53. Registration and Activation - Ability to ensure convenient & secure registration procedure for CIDWAY mobile tokens
54. Time Management- Ability to time-stamp the OTP and Transaction Signature to the second and to allow an off-line (after-the-fact) verification of the OTP or the Signature.
60. Scenario 1 – Simple out-of-band Transaction Signature BANK BANK TRANSFER BANK Login using Cidway’s OTP & two-way authentication; Go on the Transfer page Cidway Token will generate an 6 digits time based Transaction Code, using the data certification algorithm using input data 1 BANK Transaction Code 560429 Amount Tr. Code Phone will display Transaction Code The web page will display all the fields for a bank transfer including IBAN. BN: BN: BN: 9 9 9 9 4 6 4 6 2 5 2 5 9 9 9 9 0 9 0 9 1 1 9 9 5 6 0 4 2 9 BANK 9 9 9 4 9 6 9 1 BANK TRANSFER 4 2. Input Transfer information as usual (IBAN, Amount, date, etc) 2 BANK Amount Tr. Code BANK TRANSFER 10’546.55 4. Input the displayed code on the Web page and VALIDATE Tr. Code Amount 5 6 0 4 2 9 10’546.55 Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification. BANK 3 data 3. Input the 8 digits on the mobile phone and Input PIN Code 99969491 PIN Code ******
61.
62. Security: prevents from changing Bank Transfer information (MitM attacks) as it protects digits of the IBAN (and amount), using Data Certification
64. Simplicity: does not require encryption and seamless integration into existing infrastructure
65. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…BANK The data to input on the phone can vary depending on the required level of security, can also apply to the amount or any other data of the transfer. The CIDWAY Mobile application can be customized accordingly to match input fields (from 1 to 4, alpha, titles, etc.)
66. Scenario 2 – Challenged out-of-band Transaction Signature BANK TransferenciaBancaria Login using Cidway’s OTP & two-way authentication; Go on the Transfer page BANK Cidway Token will generate an 8 digits time based OTP, using the data certification algorithm with input data from web site 1 BANK Transaction Code 560429 Amount Tr. Code The web page will display all the fields for a transfer including IBAN, with 8 digits pre-highlighted (the Challenge – randomly selected* changed for each transfer) Phone will display Transaction Code IBAN: IBAN: IBAN: 9 9 9 9 2 9 0 2 9 0 4 6 4 6 0 2 1 5 0 2 1 5 9 9 9 9 0 9 9 0 9 9 1 1 9 9 5 6 0 4 2 9 (*) see next slide BANK 9 4 2 9 9 0 9 1 H C H C TransferenciaBancaria 4 2. Input Transfer information as usual (IBAN, Amount, date, etc) 2 BANK Amount Tr. Code BANK TRANSFER 10’546.55 4. Input the displayed code on the Web page and VALIDATE Tr. Code Amount 5 6 0 4 2 9 10’546.55 Application server will receive all information and transmit IBAN & TrCode to Authentication server, that will process an authentication & a data certification. BANK 3 3. Input the highlighted 8 digits on the phone and Input PIN Code data 92909941 PIN Code ******
67.
68. Security: prevents from changing Bank Transfer information (mitM Attacks) as it protects digits of the IBAN (and amount), but selected randomly, using Data Certification
70. Simplicity: does not require encryption and seamless integration into existing infrastructure
71. Improve ROI: same application can be used for mBanking, ATM fraud fighting, Login…BANK The number of pre-highlighted digits can vary depending on the required level of security, can also apply to the amount or any other data of the transfer. Taking into account the IBAN structure, the pre-highlighted digits, even though selected with a random generator, should always include digits in the Bank Code, Branch Code and Account. IBAN format: ESkk BBBB GGGG KKCC CCCC CCCC - B = bank code, G=Branch/office number, K=Check digits, C = account No.
72. Scenario 3 – Automated out-of-band Transaction Signature BANK BANK TRANSFER OTA Communications BANK 3 1 BANK Send Send Date IBAN CH99122900599969491 Amount 10’546.- Date 09.10.08 3. User will verify displayed information received directly on the BANK Mobile application, press YES and input his PIN Code. Amount Login using Cidway’s OTP & two-way authentication; Go on the Transfer page PIN ****** IBAN: IBAN 9 9 9 2 0 4 6 2 0 1 5 9 9 9 0 9 1 9 H C BANK BANK TRANSFER 2 The Application Server will send transfer data (using OTA communications to the pre-registered mobile number), that will be directly displayed by the BANK Mobile application (no search in sms inbox…). When the User validate & input his PIN Code it will generate a time based Transaction Code, with Data Certification of the entire data set, with NO data input from the User. The BANK Mobile application will then send (OTA) this Code to the Application Server (an alternative is for the User to input the displayed OTP on the PC to avoid a second OTA communication), that will finalize the transaction and acknowledge it on the Web. Date 09 / 10 / 08 Amount 10’546.00 2. Input transfer information as usual (IBAN, Amount, date, etc) and click SEND Application server will receive all information and transmit IBAN & Amount to the BANK Mobile Phone application (already opened) for validation.
73.
74. Security: prevents any attacks on the PC as the transaction is validated and signed completely out-of-band (MitM Attacks), using a strong time based algorithm.