Secure User authentication online has always been a major challenge. Now the problem seems to be solved with Verifiable Credentials. These credentials represent information in digital form which can be found in physical documents. They provide flexibility, and convenience, but above all more protection and privacy for their holders, when they need to identify themselves online. These credentials are digitally signed which makes them tamper-resistant and instantaneously verifiable, as well as support selective disclosure which lets users share only the minimum amount of data necessary for proving specific claims.
Verifiable credentials are frequently stored decentralized, sometimes in digital wallets of the users. There are numerous projects underway both in the US (e.g. mobile driving licence – mDL) and globally (e.g. ICAO, EU Digital Identity Wallet) to provide users, citizens with a digital means to securely identify themselves. Related technologies have also been standardized (e.g. ISO, 3WC, OpenID).
Authentication and Authorisation usually go hand-in-hand, authentication is a precondition of authorisation and is still decentralized, digital authorisation is practically non-existent though such a solution could have at least the same, but potentially even more benefits than Verifiable Credentials.
The Front-End Access Management (FEAM) technology of SafePay stores the user credentials, access rights in a secure element at the user side. This secure storage may even be shared with Verifiable Credentials of the User, may be a SIM card or embedded secure element of a smartphone, may be a Trusted Execution Environment (TEE), or even a cloud-based secure storage facility (Card Farm). FEAM relies on the concept of OAuth and uses the same signed access tokens but provides independence from central authorisation systems. As a result of the decentralized architecture, communication overhead is substantially reduced, single point of access failure is removed and user profiling by external parties is prevented. Additional major benefit of the technology is that it provides identical transaction procedure and the same high-level security for both online and offline transactions. The fact that FEAM uses the same type of access tokens (JWT) as OAuth supports its introduction to a large, deployed user base. The technology can also be simply integrated into poorly protected legacy environments without any modifications to the business procedures, communication protocols.
The technology is validated in diverse service environments including connected cars, smart home, prosumer cell operation, and drones. The solution has been adapted to various communication protocols and presently supports REST, TCP, UDP, and MQTT channels. FEAM also provides flexibility with respect to its topology as it can be operated both on-premises as well as in the cloud.
FEAM will not stop here, the next step in its evolution will be the introduction of device authorisation. In this concept, a built-in secure enclave (TPM chip, TEE, iSIM) will store those functions which the device may perform. These functions will be defined by the manufacturers – possibly in the form of MUD files – and customized by the operators of the device. The resulting architecture will prevent the overtaking of IoT devices and using them for malicious activities which happened in the past in the case of large-scale DDoS attacks. This internal control of operation will not only become a new security-by-design feature but will also provide a second line of defense against taking over IoT devices. In this scenario it will not be enough any longer to break the usual username and password or similar protection but to misuse the device also its secure element should be compromised otherwise it will not be possible to alter the intended operation.
With its unique architecture, FEAM opens a whole new approach to user and device authorisation, but whenever possible it uses existing industry standards and best practices. In the development process ongoing industry initiatives are actively monitored to ensure that the solution will be future-proof and will be able to satisfy upcoming, novel requirements.
You can watch a short video about the transaction flow here.