Survey of Strong Authentication Approaches for Mobile Proximity and Remote Wallet Applications - Challenges and Evolution

Wallet may be described as container application used for configuring, accessing and analysing data from underlying payment application(s). There are two dominant types of digital wallet applications, proximity wallet and remote wallet. In the payment industry, one often hears about authentication approach for proximity or remote wallets or the underlying payment applications separately, but there is no such approach, as per our knowledge, for combined wallet, the holder application. While Secure Element (SE) controlled by the mobile network operator (i.e., SIM card) may ensure strong authentication, it introduces strong dependencies among business partners in payments and hence is not getting fraction. Embedded SE in the form of trusted execution environment [3, 4, 5] or trusted computing [24] may address this issue in future. But such devices tend to be a bit expensive and are not abundant in the market. Meanwhile, for many years, context based authentication involving device fingerprinting and other contextual information for conditional multi-factor authentication, would prevail and would remain as the most dominant and strong authentication mechanism for mobile devices from various vendors in different capability and price ranges. EMVCo payment token standard published in 2014 tries to address security of wallet based payment in a general way. The authors believe that it is quite likely that EMVCo payment token implementations would evolve in course of time in such a way that token service providers would start insisting on device fingerprinting as strong means of authentication before issuing one-time-use payment token. This paper talks about challenges of existing authentication mechanisms used in payment and wallet applications, and their evolution.