Bluetooth for IoT, much more than handsfree technology

María Cascajo Sastre    9 February, 2016

A few months back we published a whitepaper regarding the disruptive changes in the connectivity ecosystem. The paper stressed the role of low power narrow band wide area networks (LPWA) as the long term solution. While the different proposals for new (radio frequency) technologies reach the market and technological maturity, some connectivity technologies that had stopped being used, were seriously declining in popularity, or were doomed to disappear are receiving a blow of fresh air and a second life by repurposing their original use. 2G or Bluetooth are two excellent examples of repurposed technologies. Today we will talk about the latter.

Bluetooth is a protocol for wireless communication originally developed by Ericsson that works over unlicensed frequency. It was conceived for personal area networks (PAN) in order to transfer data wirelessly. Bluetooth however has some design shortcomings: it requires pairing devices (normally through a setup procedure) its energy consumption is very high (not optimized for battery-powered devices), and the range is normally limited to the room’s perimeter. To overcome these limitations an evolution of the original protocol was developed. This new standard Bluetooth Low-Energy (BLE or Bluetooth LE) was redesigned by Nokia and is now a core feature of modern smartphones and next generation wearable devices like smartwatches, health bands and others.

Bluetooth LE devices consume very little energy (extending battery-life up to 2 years). Besides the wearables and personal device market, one of the main uses for BLE is using the technology as beacons. They take their names from traditional lighthouses and in a similar manner are installed at fixed locations from which they broadcast their presence and exchange information in a 70 metre range in order to provide information like temperature, movement, sound, etc.

Beacons are in general static elements designed to be installed in Smart Cities and other typical IoT settings with moving BLE-geared smart receivers. The scenarios however do not require the beacons to remain static nor the receivers to be in movement so there is not a single workflow and many use cases are being developed that range from Smart Meter Reading to Connected Car on board features or Smart City information points.

Looking towards the future, the Bluetooth Special Interest Group (SIG) recently published its “2016 Technology Roadmap” with exciting new features for the new Bluetooth Smart specifically designed to enhance the features that make it attractive for the IoT: improved range (4x), increased robustness for indoor and outdoor use, 100% increase in speed, without affecting the energy consumption at an improved responsiveness and lower latency. Bluetooth Smart devices will be able to interconnect in networks that cover a whole, house, building or factory opening new applications for this technology

You can read in-depth information about current Bluetooth LE and other disruptive connectivity technology in our “The response of the CSPs to the IoT burst” whitepaper published a few months ago which provides complete insight of the IoT state of affairs moving forward in a complex ecosystem of key technology players and a combination of existing and emerging technologies.

New vulnerabilitites Trend Report: “Companies keep making life easier to attackers”

Florence Broderick    29 January, 2016

You can now download the “New 2014-2015 Vulnerability Trend Report” by ElevenPaths’ Analyst Team. This vulnerability trend report analyses the data of over 100 companies, thus representing the main activity sectors and geographical regions for the period 2014-2015.

The report shows the critical points which the companies must focus on in order to improve their security level. The 85% of the results obtained correspond to 5 specific vulnerabilities, shown below:

Information Management Errors and Leakages on Metadata
These errors appear when organizations perform an inadequate information management turning their private data public. Below it is shown our conclusions after the analysis of this data:

  • Lack of awareness regarding the risks and issues in this sense. The cybercriminals plan their attacks based on an initial phase which identifies the target where the information can be obtained in order to arrange the subsequent actions.
  • The human factor is still being used by the attackers as an entry point, thereby performing targeted-phishing campaigns, resulting from information leakages on metadata.

Configuration error
The 78,56% of the vulnerabilities detected show that the majority of the failures are found on the system and application configuration itself. The origin of most vulnerabilities analyzed does not come from existent vulnerabilities resulting from code failures by the developers, but the performance of bad practices carried out by the system and application administrators during the configuration phase.

Code injections, XSS and Cryptographic Issues
The vulnerabilities caused by the Improper input validation (code injections, XSS among others) and Cryptographic issues are well known in the security world and have been widely broadcasted by the mass media.

The analysis performed on the results obtained demonstrate yet again that these type of errors still remain a high risk security problem for organizations.

You may also be interested on:

New Whitepaper "Scope, scale and risk like never before: Securing the Internet of Things" by Telefónica and ElevenPaths Analyst Team

Florence Broderick    28 January, 2016

This week we are launching both in London and Madrid, in a round table with security analysts and journalists, our new Whitepaper “Scope, scale and risk like never before: Securing the Internet of Things” carried out by Telefónica and ElevenPaths’ Analyst team. This whitepaper has been written by professionals in the security field with the expertise level of Chema Alonso (ElevenPaths CEO), Antonio Guzmán (ElevenPaths Scientific Director), John Moor (IoT Security Foundation), Jaime Sanz (Intel Iberia), Luis Muñoz (University of Cantabria), Belisario Contreras (CICTE) y Bertrand Ramé (SIGFOX).

» It’s available at ElevenPaths web.

We live in a hyperconnected world, where millions of devices join the IoT, our challenge is to provide innovative security solutions that easily respond to current circumstances and priorities. This context of insecurity has encouraged Telefónica and the ElevenPaths’ Analyst Team to do an investigation on those subjects and in more depth about the scope, scale & risk of the Internet of Things.

Some details about the report:

  • IoT devices in corporate environments such as printers, camera, VoIP phones or network systems are the new jigsaw for the IT departments, and obviously provide cybercriminals a new way to access corporations’ networks.
  • It is mandatory to establish new measures to secure the network and the IT infrastructure, and in the long term, standardize these protection measures delivering an end to end security.
  • When these days everybody is talking about insecurity in the IoT, from ElevenPaths we propose answers and challenges to achieve a secure deployment of your IoT solutions.

» Download Press Release

More information at
www.elevenpaths.com

New report: Financial CyberThreats Q4 2015

Florence Broderick    18 January, 2016
You can now download the full report about Financial CyberThreats (Q4 2015) carried out by ElevenPaths’ Analyst Team. It`s available at ElevenPaths web.

Phishing
A group of 14 countries are on the receiving end of 88.42% of all phishing attacks. The remaining 11.58% is distributed among 167 different countries. Mexico, United States and Brazil accounts suppose almost half of the worldwide detected attacks, followed by Germany and Canada.

Figure 1. Percentage of total phishing attacks – Distribution by country in Q4 2015.

Mexico have shown the biggest percentage of phishing attacks of the entire year, even surpassing the percentage from Germany in the last period which was the most attacked country at that moment.
New Zealand was the country that suffered more phishing attacks per user over the course of Q3 2015 and now has been displaced by Mexico which shows an alarming increase of users affected by phishing.

Figure 2. Percentage of users affected by phishing – World.
 

Phishing messages targeting the financial sector (banks, payment systems and online shops) accounted for 43.38% in this period, an increase of 13.19 % compared with the data analyzed in Q3 2015.
In the online payment sector, PayPal, Visa, American Express and MasterCard continue to be by far the most targeted entities, just as in 2013 and 2014.

Regarding e-commerce targeted by phishing attacks, during the first months of 2015 one of the most remarkable trends was the big increase of attacks against Steam (on-line game distributor and social networking platform developed by Valve Corporation) users. Although the numbers for Q3 showed a decrease in such attacks, during this last period it has suffered an astonishing increase, from 17.59% in the past period to 41.79% in Q4 2015. A logical explanation for this increase could be the Christmas season and the raise of activity in the online gaming world, from the increase in purchases to the growth in the number of players interacting with Steam.

Banking malware
The number of infections of the Zeus Trojan and its variants keeps decreasing for the third period in a row during this year.

Although the Dyre Trojan decreases its percentage (representing the 19.21% of all the infections performed by banking Trojans in Q4) it keeps being the lead actor in the banking malware area.

Figure 3. Banking malware global distribution by families in Q4 2015.
 

During this year several new families of Point of Sale Malware have appeared: LogPOS, Punkey, FighterPOS, BernhardPOS, GamaPOS, ModPOS and so on until the approximately number of 26 known malware families included in this category (our heuristic engine identifies several samples with similar functionality that do not belong to any given family).

Figure 4. Geographical distribution. Generic POS verdict (Trojan-Spy.Win32.POS) | Q4 2015.
 

Mobile malware
Continuing the trend observed during the last few years Android has been the most affected platform in this period too. The platform is targeted by 99.78% of all samples detected on any mobile platform. At the end of 2014 this figure was 99.41%.

Figure 5. Mobile banking trojans geographic distribution.

Russian Federation alone takes the 86.50% of infected users, followed distantly by the rest of countries. Germany, Italy, France, Poland and Austria are the most infected European countries.

The deadline for our Latch and Sinfonier contests has been extended!

Florence Broderick    15 January, 2016
Latch Plugins Contest 2015 
Are you aware of the second edition of Latch Plugins Contest? Submit your Latch plugins before February 15h! As a developer or intelligence analysts, do what you do best and get paid for it! We extended our Latch Plugins Contest deadline! The winners will be notified by e-mail within the next 14 days after the close of the contest. You have a period of 10 days to accept the prize.

Sinfonier Community Contest 2015

The Sinfonier Community Contest will award best sets of 10 modules or topologies developed for the Sinfonier Project Community. Innovative, interesting and useful modules and topologies for Smart Cities, Digital Economy and Digital Identities environments. Submit your Sinfonier modules or topologies! You can do it until the 15th of February at 1:00 pm (Central European Time), hurry up!

Good luck!

Cybercrime is already a global scourge…Do you really think you are protected?

Florence Broderick    23 December, 2015

Nowadays, the exponential development experienced within the ICT field has led to a new scenario where the organizations are capable of exchanging information more effectively, stablishing new business models, and in general, decreasing operational costs while increasing their levels of efficiency and profitability.

Nevertheless, the technology has evolved for everyone, enabling cybercriminals to take advantage of these new and more sophisticated techniques, even perpetrating coordinated and complex attacks against organizations or their supply chain within a few minutes. Subsequently, this fact has driven to a new generation of threats and cybercrime which imply greater risks and a bigger impact for companies.

In fact, the latest figures indicate that the cybercrime cost already represents 0.8% of the global economy, even exceeding the drug and arms trade. The fact is that any organization can be attacked. The cybercriminals do not discriminate on the basis of the company location, size, industry or ethics anymore. Actually, recent studies show that the 97% of the organizations have been hacked or breached to a greater or lesser extent, and the 69% of the detected threats have been discovered by external agents, which means that the internal traditional means are not sufficient anymore.

Another clear example which shows the organizations are not prepared for this new scenario is that, according to the new figures resulting from the latest global reports, these ones take over eight months on average to notice and fully recover from an attack, fact which, in some cases, can result in a critical impact for the organization, and even becoming a threat to their own survival.

Therefore, it is clear that the traditional approach (castle security) is no longer sufficient to face the risks the organizations are exposed nowadays, but a focus beyond the own organization environment becomes necessary, focused on the security risks which impact on their business, included their supply chain. In this sense, the implantation of a new risk management model which adequately coordinates the capacities of prevention, detection, analysis, mitigation, response and recovery becomes essential.

For the purpose of addressing this new scenario, ElevenPaths counts on CyberThreats, whose holistic risk management model focused on cyberintelligence, help prevent, detect and respond continuously which against cyberthreats which might represent a high impact on the organization´s business model. Below the main modules on which CyberThreats is structured, is shown:

Overall, thanks to our expert team specialized in Threat Detection and Incident Response, along with the orchestration of our own proprietary technology and processes combined with the market´s best practices and strategic alliances, the organizations can benefit from a continuous advanced support through the entire threat lifecycle, which facilitates the decision-making process and corporate risk management. The next graph summarizes the CyberThreats‘ performance model, from the multiple-source scouting to the value delivery to customers:

For further information, please visit the CyberThreats webpage or contact us:

You might also be interested in:

Manuel Muñiz Somoza
[email protected]

Metashield for Exchange soon to be available. How does it work?

Florence Broderick    16 December, 2015
Metashield for Exchange stacks up to our currently offered server-side metadata cleaning solutions and broadens the flexibility and customization options that we offer companies to get rid of sensitive information and metadata leaks.

A plugin for Outlook is already offered but depending on the needs and architecture of an organization’s servers it may opt for a centralized Exchange-specific solution. In this case, it will be easier for the end user because the cleaning process is completely transparent and occurs asynchronously on the server.

So where exactly does Metashield For Exchange fit in the Exchange message pipeline? There are several roles that run in Exchange servers such as Mailbox, Client access and Edge Transport server roles. Metashield For Exchange is installed to Mailbox servers as a plugin-like “Routing Agent” and resides more specifically in the “Transport” service.

Once configured, instances of Metashield For Exchange are then spawn according to outgoing messages. These instances bind to the “OnSubmittedMessage” event of the message delivery pipeline and perform the cleaning process of the document asynchronously using the “Metashield Engine” service. As soon as the document is clean it’s sent forth to the pipeline until its destination.

This way we ensure that every single outgoing document is metadata-free when reaching our organization mailserver’s outer boundaries.

Source: https://msdn.microsoft.com/en-us/library/office/dd877035(v=exchg.150).aspx

However there are cases that a certain email attachment should not be cleaned and metadata should be maintained. For this purpose the administrator can define advanced rules to skip those messages and leave them “unclean”.

Configuring Metashield whitelist

As for customizable options, a caching layer is available and configurable as memory or file based. Considering the case of forwarded message chains containing attachments, the use of a cache may result in significant performance boost. We reccomend its use.

Using cache in Metashield for Exchange

Of course, the profile and template based cleaning system known from other “Metashield” products is maintained. For the sake of example, let’s see a real world configuration where documents should include information about a company but all other metadata is cleaned:

A step by step example
 
First of all a new template with the desired actions needs to be created. This one will be a simple one for demonstration purposes.

Creating a new template

After that, the newly created template should be assigned to the desired extensions or extension families.

Add the template to a profile

Upon applying the configuration “Metashield” will start cleaning all the newly configured extesions and will include the company information that we’ve configured in the template. That simple. 

Overall we hope that Metashield For Exchange contains everything that a System administrator concerned about security needs to prevent metadata leakage in corporate emails, while maintaining usability and good performance.

Plugin for EmetRules: Now, easier to use

Florence Broderick    14 December, 2015
EmetRules is a simple tool we created two years ago. Not meant to change the world, it was a first incursion in certificate pinning universe, and intended to ease one of the harder-to-use-features of EMET: pinning. We have developed now an easy plugin for Internet Explorer that uses EmetRules, so pinning with EMET is easier than ever. Let’s see how it works.

Internet Explorer is one the only (main) browser not supporting HPKP yet. In fact, is the browser with fewer options to pin certificates in general. EMET included a few versions ago a feature for pinning, but it was indeed complicated and tricky to use. So we created a simple tool called EmetRules to pin lots of domains at once.

EmetRules counts with some fans. So we have created a very simple plugin for calling EmetRules from the browser itself, so it is even easier to pin a domain. Just visit it, and click a button. The domain will go to EMET configuration and will be pinned there

EmetRules itself has been updated to support being called directly from Internet Explorer, just adding a new option. To better explain it, a few screenshots of how it works:

  • Visit the domain you want to pin with Internet Explorer.

Visit the domain you want to pin
  • Click on the icon in the bar, or right click somewhere on the webpage and “Pin with EmetRules”
Use the icon or the entry in the right click menu
  • The first time you use it, a warning signal will appear. It is ok as long as the program is signed by us. This means the operative system is telling you an external program is being called from somewhere inside a web and wants to go out from the protected mode (is going to be launched in medium integrity level instead of low).
Warning about executing a file from the browser

Now it on depends on the “traditional” EmetRules. A command window will be launched, it will fetch the certificate for you, build an XML file and feed EMET.

  • If you are an “admin and not an admin” (you are using UAC), an UAC dialog will prompt, since inserting domains in EMET needs administrator privileges.
  • If everything is ok, the domain will appear in EMET pinning panel.
The domain is finally pinned in EMET

If you want to modify default settings, just modify the html file (JavaScript) in the installation directory.

 Hope you enjoy it. The new version may be downloaded from here.

IoT – The new security headache for the enterprise IT department?

Florence Broderick    10 December, 2015

2015 could prove to be the year that enterprise adoption of BYOD takes a step further, and evolves into BYOIoT. Several reports (i) have already predicted the rise, spurred on by the popularity and proliferation of wearable devices in the workplace. What’s essential is that IT departments are aware of how to manage the resulting security and ecosystem challenges this will bring.

The great benefit of IoT is that connected devices are able to interpret and interact seamlessly with the networked environment around them – proving seamless usability and convenience for the end user. The issue for the IT department is that any connected device can theoretically collect and access sensitive information purely because they’re located on the company’s premises. Similarly, since they are usually connected to the corporate network, they can not only exchange data with internal systems but also with external servers. In many cases internal data must be protected, and IT departments will want to control what sensitive information is accessed beyond its network. There is no doubt that connected devices allow employees to be more efficient in their daily operations but are companies fully aware about the security risks that their use also involves?

The potential for security breaches increases with the uptake of IoT polices in the workplace. What is disconcerting is that IT departments often have little or no control over new devices connecting to the network. This has been backed up by a recent study (ii) published by OpenDNS which found that IT professionals are often completely unaware of the presence and prevalence of IoT devices on their corporate networks.

This apparent lack of control contrasts with a 2013 Forrester (iii) study which stated that security concerns are the main reason businesses are slowing down the incorporation of workplace IoT technologies. This surely begs the question, if security is considered such an important element, why aren’t special measures being put into place? Perhaps the answer lies in the ambiguity in defining what an IoT device is.

To get a hand on the solution IT departments must first identify the risks, which are as follows:

  • IoT devices are a new remote attack vector for security exploits. Devices are not designed in line with individual business security requirements and cannot be updated easily to conform with corporate network policies.
  • They often use external clouds beyond the control of IT departments. Without the implementation of traffic control measures, internal data risks being compromised.
  • Users tend to consider these devices as toys and are not aware of the security implications that their use has on a corporate network.

The solution for IT departments can be neatly surmised in one word… visibility.

The infiltration of IoT devices in the enterprise is clearly underway, as such companies should review their current policies to mitigate potential risks, and once identified put new policies into action where necessary. Most security experts surveyed in the OpenDNS report rely on measures relating to network design and deployment to contain threats, but is it enough? In our point of view, these measures are simply necessary but not wholly sufficient.

We propose two approaches.

Firstly, we consider focusing on the terminal absolutely necessary. This approach not only identifies all the devices that are within the company premise, but also catalogues and monitors them in order to meet corporate security guidelines. It’s a similar approach to that already undertaken in Mobile Device Management solutions and BYOD policies.

It is no coincidence that MDM vendors consider IoT as the next big challenge for their organisations (iv). MDM platforms have grown from a core set of rules associated to the use of smart phones at work to the complete management of any device, including tablets, laptops and even electronic ink readers. With the introduction of IoT and wearable devices, the next logical step is to implement new functionalities to manage all these devices remotely. There is no doubt that a promotion of industry standards will make the collaboration among different device providers easier to manage. In addition, it is important that these assets are included within the scope of security audits performed internally by company’s IT department.

Secondly, the approach from the network side should relate to traffic behavior and subsequent analysis. Think of like this, when facing an unknown illness, the best way for a doctor to work out a medication is to identify the symptoms. Everything that is outside normal patterns is likely to be harmful and should be investigated. By examining network traffic using big data matching tools it becomes possible for the IT department to construct behavior models capable of discerning anomalous situations. In this way they can identify new devices, connections to unknown IP addresses, suspicious traffic or strange commands.

IoT is already within the enterprise environment, and the only option for companies is to evolve and adapt their security practices accordingly. Ignoring the threat will not make it go away, and IT departments need to be on the front foot when it comes to identifying and mitigating against risk. After all, what is not known cannot be secured.

i ‘Bring Your Own Internet of Things’ coming to businesses in 2015
ii The 2015 Internet of Things in the Enterprise Report
iii ‘Mapping The Connected World’ by Christopher Mines
iv IoT in the E: How the Internet of Things Will Transform the Enterprise

v Also it can interest you:
BANDS: Detección proactiva de amenazas en infraestructuras críticas
Qué hemos presentado en el Security Day 2015 (III): un combinado de Tacyt y Sinfonier

Francisco Oteiza
[email protected]

Inside Mobile Connect (I)

Florence Broderick    7 December, 2015
This is the first of a series of technical articles about the Mobile Connect architecture and the different components that make it up. But, hold on a second… what is Mobile Connect about?

Mobile Connect is a mobile centric solution that aims for MNOs (Mobile Network Operator) to become a trusted identity service provider to third party providers. However, Mobile Connect is not only a new way to authenticate users in the mobile network. Moreover, it provides a way to link the digital and real identity of a person and protect their data, giving them back the control for sharing this information when, where and who with.

MobileConnect takes advantage of the MNO assets such as the mobile device and the SIM card. Thanks to these assets the MNO can almost always reach the user and send a challenge to authenticate them. In that way, the user’s device turns into a kind of addressable support that keeps the user identity that in turn can be validated by means of different authenticators or different ways to authenticate the user.

These different ways to authenticate users provide different validation security levels. This is the so called Level of Assurance (LoA) that describes the degree of confidence in the authentication process. In short they provide certain assurance that the user who is being authenticated is who they claim to be.

Mobile Connect Logical Architecture (Telefonica Implementation)

Note that Mobile Connect is an interoperable solution. Therefore it must work with any MSISDN from all the MNOs onboard in the Mobile Connect ecosystem. This is accomplished using a discovery process that occurs in a previous phase to the authentication process. The aim of the discovery process is to find the Identity Provider the MNO user belongs to, and redirect them to the MNO Mobile Connect implementation.

The figure above shows a very high level architecture of the Telefónica Mobile Connect system, but it does not give us too much information. It seems that there are a set of boxes that you can combine and voilá! you have an implementation of Mobile Connect, well… It is a no brainer that it cannot be so easy, right? 

Don’t worry, in the next section we are going to try to explain the main functionality of each component in the architecture and its role in the mobile connect authentication process flow.

Telefónica Mobile Connect Architecture

Our Mobile Connect implementation is based on a set of microservices that in turn make up larger components or subsystems which each have a specific role (see figure above).

You can distinguish three main functionalities in Mobile Connect: 

  • The Identity Gateway, the brain of Mobile Connect, offers the interface for the Service Providers to be integrated in Mobile Connect.
  • The Authenticators, provide user validation.
  • The Data Gateway gives the user’s attributes.

Mobile Connect interface to Service Providers follows the Authorization Code Flow of the OpenID Connect protocol, where Service Providers act as the RP-Relay parties in the OIDC protocol.

Abstract of the OpenID Connect protocol steps

Identity Gateway (ID)

The Identity Gateway (aka ID-GW) server is a component that can be broken down into a set of individual components. These components meet the functionality of Identity and Access Management along with the functionality to control and protect the resources that show the attributes that can be shared.

OIDC AuthServer

It is the core component that implements the OpenID Connect protocol as per the OIDC Mobile Connect Profile. It shows the Authorization and Token endpoints. It receives the authentication request, checks if the client (service’s app) is allowed to request the claimed scopes and, in such event it sends the request to the authenticator selector. In addition, in the case of successful authentication, it generates the authorisation_code and the access_token, along with the id_token server.
Authenticators Routing Subsystem

This component is called by the OIDC server during the authentication process. It selects the right authenticator based on the context in the request (e.g. LoA), routing policies, etc. and prompts the user to provide their credentials where appropriate.
Token Manager

This component creates the id_token, access_token and the authorisation_code in the auth_code flow. It also offers an API to query the information associated to an access_token.

Access Gateway

The Access Gateway shows the UserInfo endpoint. It aims to protect access to the real UserInfo resource showed by the back-end. The Access Gateway acts as a proxy that receives the request from the service provider, checks the access_token against the Token Manager to determine the client granted scopes. If the client has the necessary scopes to access the requested resource and the request upper limit has not been reached (traffic throttling), the Access Gateway routes the request toward the Data GW providing the granted scopes.

Provision

This component offers an API to provide any data that the ID-GW needs to carry out the different tasks for which it is intended to: the scopes, products (set of scopes for different grant types), devs, apps and APIs.

Users

This component shows an HTTP REST API to manage the provision of the Mobile Connect users. It will be used to register, update users, etc.

Authenticators

These components represent an abstraction layer that allows the ID Gateway subsystem to talk to the different authenticators in the MNO. All the Mobile Connect authenticators are Mobile Centric authenticators, that is to say, all of them authenticate the end users interacting with their Mobile phone.

Authentications using Mobile Connect SMS+URL

 In the next few paragraphs we describe some of the most common authenticators used in Mobile Connect, taking into account that a big list of them can be integrated in the solution.

SMS based authenticator

SBA sends a SMS to a mobile phone number. This SMS should have a code (OTP), a link or both in order to authenticate the user.

  • OTP: sends an One Time Password in the SMS that must be validated in the form entry.
  • URL: sends a URL in the SMS that must be clicked by the user to be authenticated.
  • OTP+URL: sends an OTP together with a URL. The user can submit the OTP in the form entry or click the URL to be authenticated.

MSSP (Mobile Signature Service Provider)

This component is the server side of the SIM Applet based authenticator. It can deal with both LoA2 and LoA3 authentications, by sending a challenge using a “class 2” binary 3.48 SMS to the end user’s SIM. This message reaches the SIM directly without any possibility to be intercepted by any application in the mobile phone.

Then the SIM wakes up an applet asking the user for consent using “click-ok” or by a PIN/Personal Code. Once user verification is done, the applet returns an authenticated response back to the MSSP. The MSSP validates the response and gives back success or error. It is worth it to point out that all messages between the MSSP and the SIM are end-to-end encrypted.

FIDO Authenticator

This component implements a FIDO Server authenticator which will send a challenge to authenticate the user by a biometric authenticator in their mobile phone.

Remark: these are some of the authenticators that can be used to authenticate user in Mobile Connect. However, as one of the key requirements of Mobile Connect is to be able to authenticate the end user irrespective of the underpinned authenticator, it needs to have a flexible way to integrate the ID-GW with the different kind of authenticators that show different APIs in turn. To achieve this objective, an adaptor (based on redirections) has been built per every authenticator to communicate it with the ID-GW.

Data GW (Data Gateway)

This component will be connected to the different sources in the MNO or to potential 3rd parties. It gathers all the attributes that will be showed in the UserInfo endpoint and probably other future info endpoints with extra information.