Google Texts Two Factor

When we launched the Government Gateway in 2001 we spent a lot of time looking at login security models. Phishing, though not called that at the time, was just emerging and we could see that passwords were going to be unreliable. 
We looked at lots of options – USB tokens (failed because we wanted people to be able to access services from anywhere and internet cafes – research showed – didn’t expose their USB ports), RSA-style tokens (very complicated with a high cost of set up and a high incidence – at the time – of help desk calls, digital certificates (don’t get me started), a funny device that had 4 coloured buttons and you set your own code on that (it’s name began with Q, I can’t remember what it was). We spoke to the banks to see if they would be interested in issuing secure login devices that we could piggy back on (effectively trusting the bank to authenticate properly and then hand the user to us) but made no progress, We dead-ended on lots of things.
We also looked at sending a text to your mobile phone to confirm that it really was you. We even built the capability to do this. But testing showed that the time to deliver was very variable – and sometimes delivery didn’t ever happen. So we abandoned that as an idea.
We settled, then, on a long (and entirely un-recallable) password coupled with an equally unmemorable userid. These were imposed on us by the security rules at the time.
I was intrigued, then, when Dan forwarded me a recent announcement from Google saying:
2-step verification is now available for Google Apps (free) edition. When enabled by an administrator, it requires two means of identification to sign in to a Google Apps account. A mobile phone is the main requirement to use the second form of identification. It doesn’t require any special tokens or devices. After entering a password, a verification code is sent to the user’s mobile phone via SMS, voice calls, or generated on an application they can install on their Android, BlackBerry or iPhone device.
It isn’t the text bit that’s interesting – doubtless that will have the same issues as we had all that time ago or perhaps even worse given the huge volume of text now. But it is interesting that you can have an app on your phone that will prove you are who you say you are.
It wouldn’t surprise me if the banks made the same move – and so reduced the costs of sending out their own secure devices. And why not the Government Gateway too – we don’t need to know that you are the owner of the phone (with 70% pay as you go, that’s too big a hurdle), we just need to be able to tie that phone to you at the point of registration and create an app that supports the process. That doesn’t sound difficult.
The mobile phone, though, is becoming an increasingly concentrated device – NFC payments, all of your email, one touch access to Facebook/Twitter etc – and often without any PIN protection (or any way to lock it down quickly if it is stolen, Find My iPhone notwithstanding).

NFC, NFW?

Mobile World Congress, the annual jamboree on all things, well, mobile, intensified coverage this week on the potential for Near Field Communication or NFC. The latest Android operating system (and at least one phone, the Nexus S) has had this capability for some months but what really got everyone going was the rumour that the iPhone 5, due perhaps in the middle of the year, would support NFC too. If you already have a ‘phone with NFC, I’m guessing you feel like the first person to have a fax machine. It’s very shiny ‘n’ all, but what do you do with it?

NFC is already a familiar technology for anyone who travels regularly on the London Underground, bus or train network via the Oystercard. Using the Oystercard is both quicker than cash methods, especially with auto-topup that ensures you never run out of cash on your card, and also cheaper – probably a far greater positive motivation to make the switch (O2 have trialled Oyster-equipped mobiles too). Oystercard may qualify as one of UK government’s most successful projects ever. There are numerous other opportunities to use NFC use in the UK too – for instance, many, if not all, branches of Pret A Manger have terminals at the till where, if you have a suitably enabled debit card (Barclays I believe), you can swipe the terminal and make payment. In 2 years of near daily visits, I haven’t ever seen anyone use them and most of the terminals have long since been tucked out of the way. In the USA, NFC-equipped key fobs have long been used to pay for petrol and other goods too. MasterCard has been testing its own technology, PayPass, in partnership with Nokia and others since 2006 (and since 2009 in the UK with, amongst others, Boots) – indeed, MasterCard say that as at August 2010 they had 78m cards and 245,000 merchants accepting them globally.

This is a technology that has been trying to happen for some time – so is the fusion of mobile and NFC the trigger to growth in mobile payments?

Twice in the last month I’ve travelled through Europe on BA flights. I opted to use their new iPhone app boarding pass – definitely not an instance of NFC use (it’s a standard square barcode) but I thought the experience might be similar. From initial check in to sitting in the seat, I had to give my phone to 6 different people – the checkin person, the BAA boarding pass verifier, the BA Lounge steward, the staff in the duty free, the gate checkin person and the crew on the plane.
There are two things that make me pause for thought here:

1) Each time I presented the boarding card – often many minutes or even an hour or two apart – I had to slide to unlock, open the BA app and select the boarding pass – that is, you have to have the app open and working. Each time you go through the process, there is an opportunity for the screen to dim, a text/call/facebook badge to signal or, worse, the phone to hang, crash or do something otherwise unhelpful (admittedly a rare event, but it does happen).

2) The oddest thing, though, is actually handing over your phone to someone else – my phone is practically tethered to me and giving away control is quite alien. Now partly this is because it’s a bar code that needs to be scanned rather than a contactless payment transaction but I can’t help feeling that when something goes wrong, the first thing that will have to happen is you have to hand your phone over – just as now, if you can’t get your chip and pin card to work, staff in a store try for you, using your card.

Driving adoption of mobile payments enabled by NFC will require overcoming some challenges:

1) Do you need a PIN and how often? In most trials, payments of between £10-20 have been possible without PIN verification at the payment point. This plays to the convenience angle – the cash substitute – but still means you need a PIN (or possibly two – you may choose to lock your phone with a PIN knowing that it is now effectively cash, as well as having a payment-related PIN)

2) Who is carrying the payment risk? With chip and pin – which was effectively a mandatory change introduced by banks – the retailer took the risk if they only required a signature, the credit card company if a pin was used (and, in theory, not the customer in any circumstance, unless the pin had been disclosed to a 3rd party). How this works with NFC payment will directly affect adoption (both in terms of retailers deploying readers and customers using) – if the retailer carries the risk when no pin is used (that is, for a low amount) then either a PIN will always be required or the retailer won’t rush to install terminals; if the customer carries the risk, then adoption is also likely to be low. Of course, this risk needs to be contrasted with the equivalent risk of you losing a wallet full of cash. If the retailer isn’t carrying the risk they would likely be strong advocates for payment via this method – as long as the margin taken by the various people in the chain is lower than the retailer’s equivalent cash handing charge.

3) Will NFC be cancelled at the same time as the ‘phone is blocked from making calls? This is plainly related to the risk question. If you report your phone stolen and the carrier disables call, but somehow low value payments can still be made, who is going to bear the risk of those payments? If it’s the retailer or the customer, there’s trouble ahead.

4) Will any phone and any reader work in all combinations or will it be like the early days of ATMs when you had to go to your own bank, or the early days of MMS when you could only send to another ‘phone on your own network?

5) Is the phone cash or credit? If it’s cash, how do you get money on to it – an auto top-up just as the Oyster card has is the most convenient (you don’t want to have to top it up when you’ve just got to the front of the queue in Pret).

6) If I can move money between two NFC enabled devices, two mobile phones for instance, what steps will law enforcement take to monitor such transactions so as to police money-laundering? And what effect will that have on take up, privacy issues and so on. The obvious one is to limit the transaction size to a low value and to prevent too many transactions from taking place in a short period so as to reduce the chances of bulk laundering. But, doing so will also complicate matters for legitimate consumers – what if you bump up against the limit yourself yet have no idea that you have?

7) What data is transferred to the merchant when i make the transaction? Just amount? Name? Mobile number? Address? Date of birth?

The security and risk issues with mobile payments are complex so it’s very likely that other capabilities will emerge alongside payments that could drive adoption of NFC and then make the move to payments a simpler change

a) Loyalty cards and rewards – no need to carry a separate card to track your nectar points. You could make payment, collect points or even redeem points all at the same time. Or you could just collect points and have an app that tells you how many you’ve got and what you can do with them

b) Mobile check in services – Foursquare has this nailed but perhaps an NFC-enabled check in point by the cash desk or even at the door would mean more people checked in and, coupled with loyalty cards, could drive rewards for doing so

c) Advertising – Bluetooth-enabled advertisements have emerged relatively recently but they broadcast to anyone nearby (push). NFC-enabled posters would require a conscious action (pull) to get the information, making the person a potentially more valuable customer

d) Museum tours / tourist info – placing your phone on an NFC pad next to an object in the British Museum could bring up the details of whatever you were looking at, in a BM app. It would be like SatNav indoors. The data transfer rate of NFC probably isn’t sufficient for much information to be transferred (and it’s unclear, to me, how the exchange of data from NFC to app would work) so the app will still be the repository of the latest information

With many phones shipping this year with NFC there will at last be sufficient mass to perhaps drive the long-pending mobile payments / digital money revolution perhaps started by Mondex in the 1990s.

These days – especially these days – we’re used to revolutions starting and finishing far faster than that. I think this one has already run its course – another Digital Compact Cassette, MiniDisc, Betamax technology.