OTP for SWIFT Authentication

Background

SWIFT is already used by nearly all the international banks worldwide, starts from the year of 2016, it launched some security tools to protect its customers’ SWIFT access, among them 2-Factor Authentication (2FA) is one of the most important ones.

Ever since Alliance Access version 7.1.20, 2FA is mandatory for all users, which means to login to Alliance Access, besides the user name and the static password, a user also has to into a one time password (OTP) code. And currently, the SWIFT 2FA only supports authenticator mobile app, but some bank may not allow their employees to use their own mobile phones, and some employees may don’t want to use their own phones for work.

Solution

FEITIAN NFC OTP tokens and OTP cards could be used for SWIFT 2FA, with FEITIAN tokens/cards, a user can login to SIFWT service (like Alliance Access) without bringing his own phone, the enrollment process would be like below:

1. When a user sets up 2FA for Alliance Access, it will display a QR code
2. The user can use FEITIAN Authenticator mobile App to scan that QR code
3. Connect the FEITIAN Authenticator mobile App with a FEITIAN OTP token/card through NFC
4. Program the OTP information into FEITIAN OTP token/card
5. Enter the 8-digits OTP code generated by FEITIAN OTP token/card to finish

After the enrollment process, no mobile phone will be needed to login to Alliance Access, the FEITIAN token/card will be worked as the second factor for users to authenticate to SWIFT 2FA.

OTP Seed Programming Solution

Background

OTP tokens (and OTP cards) are already widely used for 2FA by banks, government agencies and even end users in their daily lives to protect their bank accounts, work environments and online services such as Facebook, Dropbox, etc. The 6-or-8 digits ever-changing code (usually every 30 or 60 seconds) can efficiently prove the user’s identity, and more importantly, since each code can be used for one time only, OTPs are not vulnerable to replay attacks.

Each OTP token/card usually has a pre-loaded/programmed secret key (also called seed), based on which that 6-or-8 digits code will be generated/calculated. But for some customers (such as government agencies, or banks), they may have security concerns about allowing the token vendors to get in touch with the seed information (especially after RSA SecureID’s incident).

Solution

FEITIAN, as the world leading identity provider, can solve their security concerns by offering not just one but three onsite seed programming solutions for different customer requirements, to give them the total control over their seed data:

1) Programing seeds to FEITIAN OTP tokens/cards with a dedicated contaceless Seed Programmer

With the reader-liker FEITIAN Seed Programmer you can (re)program FEITIAN OTP tokens/cards all by yourself, without the need to disassemble the tokens. The Seed Programmer can use FEITIAN preoperatory contactless protocol to communicate with the tokens/cards, to program the seeds and validate tokens/cards. Together with FEITIAN Seed Management system you can manage the whole seed life cycle, from seed generation, to seed storage, seed distribution, seed transporting and seed programming, you can fully control the whole process of the seed’s production, and thus achieve the highest security.

This solution suits banks, government agencies or big corporates with dedicated administrator or operators to handle the whole process of seed generation, seed programming and token/card distribution.

2) Programing seeds to FEITIAN OTP cards with NFC-enabled Mobile Phone or Card Reader

More and more professional software and online services are using 2FA with OTP to protect their users/customers, usually they can generate a QR code which contains the seed information, a user can use a NFC-enabled Android phone to scan that QR code and then program the seed data into FEITIAN NFC OTP Cards, thereafter the OTP cards could be used as the second factor to identify the users.

For people those who don’t have NFC-enabled Android phones, FEITIAN can also offer you the choice to do the seed self-programming by using a NFC Card Reader, the operational process are similar to the one with NFC phones, the only difference would be: instead of using the smart phone to scan the QR code, you can use a PC software which provided by FEITIAN to get the seed data.

There is a long list of supported services for this solution, such as SWIFT Alliance Access, Citrix Netscaler, IBM Verify, Docusign, TeamViewer, Facebook, Dropbox, Gmail and so on and so on.

3) Programing seeds to FEITIAN OTP tokens without extra devices

FEITIAN optical OTP token is a revolutionary device, embedded with eight optical sensors, with which the token can read seed information from a flickering image displayed on a PC or even smart phone, and then do the seed programming all by itself.

That flickering image can be easily integrated into online banking pages or corporate’s web portal, and one optical token can support up to five applications/accounts, which means the user can use one single token to protect his bank account, work environment, and also some daily online services.

Since the FEITIAN optical token doesn’t need an extra device for the seed programming, it could be the perfect solution for customers who don’t want to (or is not allowed to) use their pers

DCVV Solution

Background

A card not present transaction (CNP) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected. It is most commonly used for payments made over Internet.

Card not present transactions are a major route for credit card fraud, because it is difficult for a merchant to verify that the actual cardholder is indeed authorizing a purchase.

The card secure code (CVV in most case) system has been set up to reduce the CNP fraud, however it is still insecure to rely on a static 3(or 4) digit number to protect cardholder’s property.

In this case, a solution of constant change CVV code will greatly improve the protection against CNP.

Solution

The DCVV(or DCSC) card is a credit card with a screen to show an time based one time password. Unlike normal OTP token/card are using OATH standard, the DCVV is following VISA/MasterCard/UnionPay Dynamic CVV requirements.

To bring a DCVV solution into the market, require 3 key parts:

1) Physical card

The physical DCVV card is a security device with standard ID-1 card form, which contains:

A smart card chip to download the financial applets;
The complete card surface printing (without the embossment fonts);
The hologram and signature panel;
A flexible circuit board with battery and screen to show the DCVV value;
The card will requires cold lamination process for the manufacture part.

FEITIAN can do the whole manufacture part and provide the physical card.

2) Personalization

Normally, all credit cards requires personalization before final issuing. In this stage, the bank will find an personalization provider, who will download the sensitive data into the card. 

In normal credit card case, this process will download the credit card applet with the cardholder info into the card, and do the embossment etc. In DCVV card case, there will also be requirements about download the dynamic CVV info into the card, including the secret key and the time.

Since the card is using special communication protocol, in this part, FEITIAN will provide devices and guidance to help the personlization provider to interact with the card.

3) Authentication System

There will be a back-end server required for the authentication of the DCVV, normally it will be a extra authentication compare to the standard credit card transaction.

The bank server will send the related info to the authentication server and wait for the reply once it received the payment requirement. The Authentication system is a modified FEITIAN OTP server which supports the DCVV’s algorithm.

FEITIAN will help the bank to deploy the authentication system, and provide guidance for the possible customization on the bank’s existing system.

Related Product

System Logon Solution

Background

PKI tokens are already widely used for 2FA in multi-fields, banks, enterprises, government agencies and even end users in their daily lives to protect their online transactions, document signing, online tax and other services. Another important feature is that protect user’s system logon.

Logon to system maybe the most common thing to do every day, users need to input the password every time and also may worry about to lose it or not secure if the password is too simple, so traditional password is low-efficiency and low security level, obviously a more secure and easier method could help users to enhance their work efficiency and security. FEITIAN’s system logon solution bring such method to users.

Solution

FEITIAN, as the world leading identity authentication provider, can solve users concerns by offering system logon solution for PKI products in Windows and Mac OS, the solution will work with 3rd party software together:

Windows system

Work with EIDAuthenticate (from https://www.mysmartlogon.com/), as most logon programs require specific smart card driver, storage facility on the smart card itself or user process authentication, this program is the only one which does the authentication inside of the security kernel of Windows (lsass.exe) : even with signature only card, your data is safe. For example, EIDAuthenticate is the only solution supporting natively the windows “force smart card logon” policy, used to secure the local administrator accounts in datacenters or to comply with HSPD-12.

FEITIAN ePass PKI tokens provide secure medium to store the system logon digital certificate which generated by EIDAuthenticate, and implement Windows system logon with token PIN after finish the configuration of EIDAuthenticate. A smart card account will be shown in the Windows logon interface when restart the system and plug ePass PKI token, just click the account and input the token PIN to logon.

Mac OS with FEITIAN PIV

Mac os already supported PIV natively, just enable the pairing function in system, and plug PIV token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.

Mac OS with FEITIAN GIDS

Work with OpenSCToken (re-build by FEITIAN) to implement Macos smart card logon. OpenSCToken is actually use CryptoTokenKit which is Apple's take on programmatic access to smart cards and other tokens. It provides both low level access to tokens (comparable with PC/SC) and high level access for system wide integration of a token (comparable with Windows Smart Card Minidriver).

FEITIAN GIDS token/card is able to work with OpenSCToken application, just install the OpenSCToken which rebuild by FEITIAN in Mac os, and enable the pairing function in system, and plug GIDS token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.

Online Remote PIN Unlocking Solution

Background

PKI tokens are already widely used for 2FA in multi-fields, banks, enterprises, government agencies and even end users in their daily lives to protect their online transactions, document signing, online tax and other services. PIN is the most basic and commonly used part for PKI token, it is used to protect the access of certificates and key pairs inside the token.

PIN can be set with different complexities according to usage habit of users themselves, like letters, digits and specific symbols, but more complicated PIN will be more difficult to remember, so there are users who forget the PIN and result in the token is locked, traditional way to unlock PIN may request user to bring the token to Administrator or appointed place, it may take long time and inconvenient, so remote unlock PIN solution will solve the problem and provide quick and convenient way to users.

Solution

FEITIAN, as the world leading identity authentication provider, can solve users concerns by offering online remote unlock PIN solution for ePass series products, the solution contains remote unlock client tool and backend server. The unlock process is:

Remote unlock client tool

When the token PIN is locked, user could download the tool and start, the tool will get serial number and certificate file (.cer file) in token and generate session key, then send all these to backend server in cipher text.

*Note: The remote unlock client tool is for Windows system only.

Backend server

Receive the information from client tool and decrypt to get token serial number, certificate file and calculate the SO PIN according to the token serial number. And encrypt the SO PIN with session key. Meanwhile, server will parse the user email address from the certificate file and generate a verify code, send to user email.

*Note: Each token has different SO PIN which calculate based on unique token serial number.

User

Check the email to receive the verify code and input the code into client tool and click unlock button. And the client tool will send the verify code to backend server in cipher text, after verify successfully at server side, server will send encrypted SO PIN to client tool, and reset PIN window will pop up after verify SO PIN, so user can reset PIN and finish the unlock procedure.

*Note: In the whole unlock procedure, the token must keep connecting status and cannot access by other application, otherwise, the unlocking will be failed and need to redo.