Mobiililaitteiden vahva autentikointi Windows Phone alustalla
Laitinen, Tero (2016)
Laitinen, Tero
2016
Automaatiotekniikan koulutusohjelma
Teknisten tieteiden tiedekunta - Faculty of Engineering Sciences
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2016-06-08
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tty-201605264170
https://urn.fi/URN:NBN:fi:tty-201605264170
Tiivistelmä
This project studies commonly used authentication methods and technologies and evaluates their suitability for Windows Phone platform. Based on the findings we develop a Windows Phone 8.1 application, which utilizes strong authentication and uses customer information. In addition we discuss the strengths and weaknesses of researched techniques and evaluate their suitability for other purposes and future use.
The research is done in two parts: Literary research and empirical research. In literary research we present modern mobile device authentication methods and techniques by explaining their principles and features. In the empirical study we create a simple web service utilizing strong user authentication and a prototype Windows Phone 8.1 application using that service. The authentication method was selected based on the findings during the literary research, usability, cost, security and some other personal requirements.
The research showed that only few of the authentication methods were suitable for our purposes. Some of the authentication methods required multitasking which weakened the usability of the authentication process. Some of the authentication methods were too expensive to use or develop. Time-based One-time Passwords (TOTP) were found most suitable for us because of their security, integration capability, usability and compatibility for other mobile platforms. A device specific secret key and the destination address of our web service was transferred inside a QR-code, and the content was stored inside the encrypted application storage. The use of our application was secured by using a PIN-code. Our web service was based on REST (Representational State Transfer) and we used HTTPS to send the data securely to our application. Username, TOTP, device ID and timestamp were included with every service request. Device ID was used to make sure that the username and the secret key are used from the device to which they were bound during the registration. Timestamp was used to compensate the user time offset when generating TOTP.
The conclusion of the research was that Windows Phone 8.1 didn’t support especially some of the popular authentication methods like biometric authentication. The new Windows 10 Mobile devices, which were published in 2015, support facial and iris scanning as biometric authentication methods. In summer 2016 Windows 10 Mobile will also start supporting fingerprint scanning. The most promising feature in Windows 10 Mobile will be Microsoft Passport, which uses PIN-code or biometrics in addition to private keys, which are stored securely on the device. Microsoft Passport API can be used in personal applications and Microsoft has presented some helpful instructions on how to use them. Microsoft Passport will surely be something to take a closer look at related to Windows Phone platform security.
The research is done in two parts: Literary research and empirical research. In literary research we present modern mobile device authentication methods and techniques by explaining their principles and features. In the empirical study we create a simple web service utilizing strong user authentication and a prototype Windows Phone 8.1 application using that service. The authentication method was selected based on the findings during the literary research, usability, cost, security and some other personal requirements.
The research showed that only few of the authentication methods were suitable for our purposes. Some of the authentication methods required multitasking which weakened the usability of the authentication process. Some of the authentication methods were too expensive to use or develop. Time-based One-time Passwords (TOTP) were found most suitable for us because of their security, integration capability, usability and compatibility for other mobile platforms. A device specific secret key and the destination address of our web service was transferred inside a QR-code, and the content was stored inside the encrypted application storage. The use of our application was secured by using a PIN-code. Our web service was based on REST (Representational State Transfer) and we used HTTPS to send the data securely to our application. Username, TOTP, device ID and timestamp were included with every service request. Device ID was used to make sure that the username and the secret key are used from the device to which they were bound during the registration. Timestamp was used to compensate the user time offset when generating TOTP.
The conclusion of the research was that Windows Phone 8.1 didn’t support especially some of the popular authentication methods like biometric authentication. The new Windows 10 Mobile devices, which were published in 2015, support facial and iris scanning as biometric authentication methods. In summer 2016 Windows 10 Mobile will also start supporting fingerprint scanning. The most promising feature in Windows 10 Mobile will be Microsoft Passport, which uses PIN-code or biometrics in addition to private keys, which are stored securely on the device. Microsoft Passport API can be used in personal applications and Microsoft has presented some helpful instructions on how to use them. Microsoft Passport will surely be something to take a closer look at related to Windows Phone platform security.