Singapore security firm hopes mobile software token will plug hardware holes

Singapore's state-owned security vendor, Assurity Trusted Solutions, is hoping its introduction of a mobile software token will resolve common user grievances associated with hardware tokens and finally convince local banks to adopt its platform.

Its CEO Charles Fan, though, acknowledged major banks likely still would prefer to have total control over their own security infrastructure.

Set up in 2011, Assurity is a wholly-owned subsidiary of local government ICT agency, GovTech, and operates the national authentication framework (NAF). The security layer is used to authenticate online transactions between the Singapore government, businesses, and citizens.

Assurity initially focused exclusively on two-factor authentication (2FA) services, which included its OneKey hardware token, but this proved a "very narrow business model", Fan told ZDNet. The company then expanded its offerings to include various identification and access authentication services, he said, adding that brokerage and trading houses were among its customers.

OneKey was launched in December 2011 and touted as an option for banking customers to consolidate their 2FA devices. This, however, failed to take off as banks in Singapore chose to continue issuing their own hardware tokens.

Fan acknowledged that most banks preferred to have control and run their own environment, noting that these organisations would have invested significantly in building up their infrastructure in order meet regulatory requirements.

2FA-based login is mandatory for access to mobile and online banking services in Singapore, and required--via login with SingPass--for some e-government transactions involving sensitive data, such as income tax filing and medical records. There currently were some 2.3 million OneKey users.

Having already invested heavily in their own security systems, Fan noted that banks would remain unlikely to move to a centralised platform provider such as Assurity. There were opportunities, however, in smaller banks and financial services providers that might not be able to invest in such infrastructures, he said.

In particular, he expressed optimism that a new mobile software token would convince more businesses, as well as consumers, to adopt 2FA technology.

Unveiled today, the OneKey Mobile app was developed with local security vendor, V-Key, which was selected as a technology partner after a one-year evaluation process. Backend integration with V-Key's mobile software token app, V-Tap, began in October, according to Fan.

Noting that more than 4.1 million in Singapore owned smartphones, he said OneKey Mobile should make for an "attractive and convenient" option. For instance, he added, it addressed common user complaints about hardware tokens, which needed to be replaced every three to five years at the end of their battery shelf-life and had a tedious activation process requiring components to be mailed out separately.

The mobile software token would be offered as an additional option alongside Assurity's hardware and SMS authentication 2FA services.

Users would need to download the OneKey app via Apple App Store or Android Play Store, and enrol the app with an activation code via Assurity's web portal. This then would link the software token to the user's device. Access to the app could be secured with a six-digit PIN or the device's fingerprint scanner.

The app would be able to work offline and would not require mobile data connection, according to Assurity. Jail-broken or rooted smartphones would not be supported and only a whitelist of Android devices would be supported.

V-Key CEO and Co-Founder Benjamin Mah said consumers today were saddled with multiple passwords they had to remember and SMS OTPs (one-time-passwords) were cumbersome to use, requiring users to be light on their fingers to ensure the numbers worked within the allocated time. SMS-based passwords also would need to be delivered promptly, which might not always be the case when mobile networks were congested, Mah said.

He said mobile software tokens addressed the insecurity of PINs and passwords, the inconvenience of hardware tokens, and the inefficiencies of SMS OTPs.

V-Key also provided an SDK (software development kit) that would facilitate backend integration with enterprises and telcos, enabling authentication without requiring mobile users to memorise and key in the OTP.

No business customer had signed up for OneKey Mobile yet, Fan said, but some had expressed interest during a demo session conducted with existing Assurity clients.

Mah noted that the partnership could pave the way for the two vendors to showcase potential use cases for Singapore's smart nation services as well as enterprise customers.

He added that the software mobile token, for instance, could facilitate loan or credit card applications, which processes currently were still largely paper-based and slow.

The OneKey Mobile app would only be available for download at the end of February.