Replacing hardware tokens for authenticated login
1. My local Rabobank does not have a mobile app.
2. Account access is via their website which requires a hardware token for login.
3. I think the reliance on the hardware token might be a factor in why there is no mobile app (pure speculation from me).
This is a concept for how the authentication requirement could be satisfied via an app without the need for a third party hardware token or service. See the attachment for full details.
--------
My local Rabobank uses the common Vasco Digipass system for login. The login process is:
1. Enter your account number (something you have).
2. Enter the last 4 digits of your Digipass (something you have).
3. Enter your PIN onto the Digipass (something you know).
4. Enter the code that’s generated from the Digipass into the website (something you have).
In the above process, the only thing that is secret is a PIN number, which makes it similar to anything else which needs a PIN/password as the critical piece of information. The PIN generates a code for login, so, the extra level of protection from using the Digipass is to prevent knowledge of the PIN being enough to login (the ‘something you have’ part of the equation).
For a mobile app, however, possession of the phone that is registered to access your account can substitute for possession of the Digipass. It would be a straight swap but could be better as more complex algorithms could possibly be developed instead of relying on time only. The task then is to authenticate your phone in a manner that would be acceptable to the bank.
This concept makes use of information that is already required during your application to open an account:
1. After your application is accepted, Rabobank sends a welcome letter with your account number in it. Use this account number as proof of address and to activate Steps 2 and 3.
2. In your application, Rabobank requires you to register a mobile phone. For the account number entered in Step 1, send a code via SMS to the mobile as detailed in the application.
3. In your joining application, Rabobank requires you to choose an external bank account to transfer money to and from your Rabobank account. Similar to Paypal, Rabobank could transfer a tiny sum of money to you and include a code in the transaction particulars, as proof of ownership of the account.
Once this information has been successfully submitted:
4: A UUID is generated and registered with Rabobank’s system, allowing access for your device to access your account.
5. Rabobank then sends back an algorithm to replace the need for the Vasco Digipass for every transaction that you do (to be detailed in another shot).