ebt mobile identity: oh, the places you’ll go · • mobile id: technology overview •...

1

EBT Mobile Identity:Oh, the Places You’ll GoJohn Bejjani

Product Manager, Authentication and Mobile

2Copyright Entrust Datacard 2

We will discuss …

• EBT Security Today

• EBT Mobile Identity

• Mobile ID: Secure Credential

• Mobile ID: Technology Overview

• Protecting Personal and FIS Data

• Challenges

• The Places You’ll Go


Current state of authentication in EBT

• Point of Sale

• Magstripe cards

• PINs

• Browser and app

• Card number or user id

• Password

• Easy to use, easy to administer

• But is there a problem?


Security and Privacy in current EBT POS

• PoS systems are still reasonably secure

• Thief must gain access to card and PIN

• But we all know about ATM card skimming

• EBT cards have a similar threat

• What about EMV style chips on EBT cards?

• Expensive to issue, expensive to replace

• Doesn’t fully address the problem of online


Security and Privacy in EBT online today

• Secured by username and password

• Most web-services now encourage or require out-of-band 2nd authentication factor

• Q&A and SMS are most popular

• Q&A is easily hacked

• Most people put Q&A data in their Facebook and Instagram profiles

• SMS is better, but still has issues

• SMS has associated costs

• Attacks have long existed against SMS

6

Mobile Identity for EBT


What is an “ID” anyway?

• An ID is a document issued representing a person or a thing

• Your driver’s license identifies you and what you are allowed to do with a motor vehicle

• Your passport identifies you and defines how you are allowed to move around at borders

• Your student ID identifies you and your relation to your campus


An EBT card is not an “ID”

• EBT cards typically have a number and possibly name

• While states can mandate photos there are issues

• Card costs dramatically increase

• Federal law requires that all shoppers be required to present ID, not just EBT recipients

• When photos are not on the card

• Recipients cannot be treated differently and asked for photo ID

• No intuitive, non-intrusive way, to verify an identity during an EBT transaction


Mobile Identity (ID)

• A digital document created on your mobile device

• Cannot be copied

• Resistant to attacks

• Identifies you to a system, but not necessarily to a person

• Can be used to legally authorize online actions

• Login

• Account transactions

• Purchasing transactions


High Assurance Mobile ID

• Uses public key cryptography

• Public key can be shared with everyone

• Private key never leaves your mobile device

• Private key can be created in a secured part of your device

• Cannot be read or cloned

• Device OS does not have access

• Using PKI, certificates can be issued

• Issued by trusted authority such as state

• PKI certificates associate a human identity with the public key

• Resistant even to quantum computing attacks

• Access to ID can be controlled with PIN or biometric (ex. facial and fingerprint)


Mobile ID Security:PIN vs. Password

• Mobile ID PIN is different from account password

• Account passwords stored on a server

• Mobile ID PIN never leaves the device

• Hackers can “steal” the user ID and the public key

• Public keys are meant to be public anyway

• Private key is still secure on device

• Public key useless without private key


Mobile ID Creation

• Recipient downloads state EBT app

• Recipient goes through onboarding

• Present 1 or more pieces of official government ID

• May need to answer several online questions

• Mobile ID is created in the app

• App creates public crypto keys

• Sends public key to server, keeps private key private

+ +

=EBT

Identity


Mobile ID Use: Authentication

Bye-bye passwords

• Recipient enters only user ID on login pages

• Notification sent to registered mobile device

• App receives notification and recipient sees it

• Recipient can decide to allow or deny the login

• Recipient can also flag the request as suspicious

• Password is the “something you know”

• Mobile ID PIN is the “something you know”

• Password kept on server, PIN kept in app

• Why is it different?

• Because …

How it works … Where did the password go?


Security without the password

• Picture using an EBT-focused mobile app

• Currently you provide it your card ID and password

• Would you give your password to the guy down the block?

• Why would you give it to someone’s app?

Convenience!

Unique Services!


Do I have to give this up?

N0!


Mobile ID Authentication:Delegating Authentication

• App presents username / card ID to the EBT processor

• The processor sends you an authentication notification

• Use your mobile ID to allow the request

• The processor sends the app an encrypted token

• The token has a lifetime

• The token encodes the operations app can perform

• No password had to be provided to the app

• The processor knows which app made the request

• If you PIN changes this has no impact on the app

• You can revoke the app’s access at any time

• The processor can invalidate the token

How it works … Why is this better?


Secure! Simple!

Anywhere!

18

The Challenges & Benefits


Systemic Challenges

Investments

• System-wide architecture review

• Introduction of PKI at State level

• Co-ordination between stake-holders

• Existing apps must change authentication models

Adoption

• FICAM / SICAM rules may apply

• Requires access to mobile devices

• Reluctance to trusting newer technologies

• Transition phase will be long


Systemic Benefits of Mobile ID

• Nearly ubiquitous Wi-Fi coverage

• Low cost for issuance

• Improved user experience

• Security improves constantly

• Large app ecosystem

• Non-repudiation reduces fraud

• US Fed has long experience with Mobile ID

• Built for tech like block chain

21

The Places You’ll Go …


Block chain

• Block chain is at the heart of digital currencies like Bitcoin

• Block chain security is based on public key cryptography

• Mobile ID is based on public key cryptography

• Ok, so what?

• Block chain is a ledger for transactions

• Tamper-proof for the foreseeable future

• Easy to make distributed and resilient

• Can be leveraged to perform real-time transaction risk analysis

• Gateway to investigating impact of digital currencies …


Mobile Payments

• People spend more time on mobile

• Many retailers in EBT offering online shopping

• Mobile ID identifies individuals not payment methods

• Can be linked to existing mobile payments solutions

24

Thank you

ebt mobile identity: oh, the places you’ll go · • mobile id: technology overview •...

Documents