Banking on the authentication wave

Move by Asian banks to improve authentication systems will aid adoption of PKI technologies, says CEO of Data Security Systems Solutions.
Written by Vivian Yeo, Contributor
Tan Teik Guan, CEO and CTO of Data Security Systems Solutions
newsmaker When it comes to digital signatures and authentication, the CEO and CTO of data security company Data Security Systems Solutions (DSSS), is outright frank.

According to Tan Teik Guan, consumers "don't care" about digital signatures. Merchants do, and that is because they do not want to be held liable for all cases of fraudulent transactions.

But, the tide seems to be shifting in favor of digital signatures, as central banks worldwide increasingly look to two-factor authentication to tighten security of online transactions.

Two-factor authentication requires the use of either one-time passwords or devices that use Public Key Infrastructure (PKI) technologies such as smart cards and USB tokens, as the second layer of protection, explained Tan. PKI allows for digital signatures, and hence support non-repudiation component in transactions, but it is seen to be more expensive to deploy.

It is with this in mind that DSSS developed the One-Time Private Key (OTPK), which is basically an inexpensive PKI solution to address authentication needs and is, at the same time, in compliance with digital signature laws. The technology was one of eight technologies that won the DemoGod award at the DemoFall event last September.

In Singapore, where DSSS is based, two out of three banks use its authentication servers. The company has subsidiaries in Thailand and the United States, and is planning to expand into Japan.

In an interview with ZDNet Asia, Tan demystifies the company's OTPK technology and discusses its applications and potential.

How different is the OTPK compared with other PKI technologies currently available in the market?
The One-Time Private Key that we've invented, and patented, is really to provide the mobility that we see lacking in traditional PKI systems. These systems require you to have a smart card or USB token that has to be plugged into a PC, which needs to be pre-installed with the necessary drivers and libraries in order to carry out transactions online.

We wanted OTPK to be mobile, and yet be in compliance with government regulations--these are the two big areas that existing solutions in the market right now cannot fulfill. By mobility, I'm referring to the ability to use a PC wherever you are…or use your own mobile phone to carry out legally-compliant digital signatures.

OTPK sounds a little too good to be true, isn't it?
There are barriers to adoption, I would say, in three areas. If you're looking at it from a very personal one-man usage of digital signatures…most consumers on the street don't really care about digital signatures. Technology providers and merchants are trying to play up the hype over digital signatures, but consumers don't really care… They see it as really something that's for large enterprises.

Credit card transactions place liability on the merchant and not the consumer. If someone steals your credit card number and uses it to buy something, and the merchant wants to charge you for it, you can say 'Hey no, that's not my credit card. You go figure out how the fraud occurred, I'm not paying for the charges.' The merchant bears the liability.

So, from a consumer point of view, you would question: 'Why am I signing a transaction which I'm now going to be liable for?' Signatures transfer liability--if the merchant has a signature from you, he can then take you to court. So why should consumers want to use the signature?

It's the organizations that want digital signatures to protect them from the liability involved in the transactions. But, digital signatures currently come at a cost. For example, OTPK requires authentication infrastructure to be in place first before we can implement digital signatures.

Two-factor authentication is currently being rolled out in Singapore, and is already in use in a few other countries. That will obviously help in the adoption of digital signatures. But unfortunately, the infrastructure is a pre-requisite to deploy OTPK.

Banks in Singapore and Hong Kong, countries which mandated two-factor authentication, already have one-time password in place. Where does DSSS's OTPK fit into the picture?
We see OTPK as the next step that they're moving toward. The technology will gain traction in maybe one-and-a-half years to two years' time, when the market can absorb these kinds of new technologies in order to push out newer forms of electronic transactions that are of higher value and in larger volumes.

OTPK is not here to protect your 50 cents or one dollar-type transactions--there is no value for banks to do that. All they want from simple two-factor is to make sure they have the infrastructure in place before they can start rolling out higher value transactions. Imagine if the banks start to roll out services-related products, for example, that allow their customers to place bets or trade stocks online using their existing banking portals. These are money-making transactions for the bank, but without a good security infrastructure in place, they're not going to make it very far. So we want OTPK to be able to enable them to do these things.

What's the role of certificate authorities (CAs) in this picture then? Will OTPK change things for them?
We're positioning OTPK as a technology for doing digital signatures; we're not positioning

OTPK to go out there and make all the CAs go out of business.

One thing OTPK does is that it changes the pricing model for CAs. They currently charge you based on a digital certificate that is valid for a period of one, three or five years. And they charge you a fixed amount--unfortunately, quite a large amount--for the certificate which you potentially may or may not use over that time period. It's like parking your car in a lot that charges you a flat per-entry fee, regardless of how long you leave your car there.

OTPK gives the CAs a means to charge on a per-transaction basis so if you're signing a transaction, they give you one certificate that's only liable for that one transaction. CAs do not make money from the certificate itself; they get their revenue from bearing the liability associated with the certified transaction. They're like an insurance company--if there's a transaction that's being signed and there's identity fraud, then the liability is on the CA that provides the digital certificate.

With OTPK, CAs can go to organizations that would never go to them because of the huge upfront cost in using digital certificates and change it into an ongoing per-transaction cost, where now it becomes more of a risk-sharing approach. The more transactions an organization has to carry out, the more business he is willing to give to the CA to certify its key. CAs that are willing to adopt this new pricing model will be able to out-maneuver their competitors.

How would you describe the potential for this technology in the Asia-Pacific region?
We're starting our OTPK efforts first in Southeast Asia, which has one of the more promising people populations and cultures that are not tied to the traditional use of smart cards, USB tokens. We see the technology being able to leapfrog and bypass some of the pain that other countries, for example in Europe, have gone through. The Europeans are very big on smart cards, and they continue to be so--there's no point trying to fight that market.

Instead, we want to push OTPK on the mobile phone, which is very popular in the Asian context. But our immediate step is to ensure we can supply both one-time password and OTPK, making it a PKI-based authentication system that cuts across various countries and the financial sector.

Imagine sending out SMS messages that are legally compliant… That becomes a very powerful concept itself--we'll really be using SMS for business purposes.

Asia is leading in the two-factor authentication charge, and one of OTPK's requisites is a strong authentication infrastructure, so we want to ride on this to push it through.

Singapore and Hong Kong have already migrated to two-factor authentication. Many central banks in other countries have also already given the same guideline to their banks, and saying, 'I'm not announcing it, but you'd better be doing it'. These are countries like Malaysia, Thailand, Indonesia and Korea. We expect Japan to also do the same.

You mentioned the mobile platform. Can you elaborate on how the technology will work on mobile devices?
We've written our demo on the J2ME (Java 2 Mobile Edition) platform, which allows digital signatures to be carried out on any phone that supports the Java platform.

The app is very fast--on my mobile phone, it runs a full key generation, certification request and digital signature in 3 seconds. The transmission can go out in the form of a SMS (short messaging service), 3G (Third Generation) or GPRS (General Packet Radio Service) IP connection.

We're seeing that it will definitely take on in a big way, with the ability to carry out transactions or send out instructions over a mobile phone. Imagine sending out SMS messages that are legally-compliant… That becomes a very powerful concept itself--we'll really be using SMS for business purposes.

What applications are there for the mobile platform?
We want to address the healthcare market and the legal community, where we see the means to use the mobile phone as a basis to send instructions, for instance, for a lawyer to act on your behalf. He receives legally-signed, via digital certificates, instructions from your mobile phone and can act on them very quickly. That becomes a very powerful concept.

How do you see the technology usage evolving over the next one to two years?
We're not at the point of saying 'This is the correct way to do it'. We know the technology is there; we know there is a way to do it. We're in the process of working on pilot trials to make this a much more substantial and credible solution.

We're prepared to work with a lot more technology partners and learn from them. We recognize that we're a very small company with a limited view of things.

One of our immediate priorities is to take the SDK (software development kit) for the OTPK and try to populate it in as many places as we can, and let the experts in that industry or vertical segment figure out how they can best use the technology. That's how we see the advantage flowing back to us.

Editorial standards