Type: Research (Spin-off Project from KU Leuven)
Category: Privacy, Security
Sub-categories: Data Protection, Authentication, Mobile Security
n-Auth: Forget about authentication tokens, transferring digits and complex user interactions. With n-Auth you can authenticate at the snap of a single n-Auth code.
User authentication (e.g. login, transaction approval) nowadays is a tradeoff between usability and security. On one end, there are secure authentication tokens that are hard to use and often lack a clear user interface. At the opposite end, there are user friendly mobile apps which are vulnerable to attacks. The main reason being that all too often app development is done without any notion of cryptography or security. In the middle (neither user-friendly nor really secure), one can find the most used form of authentication: passwords.
Solution (Value Proposition)
n-Auth offers the best of both worlds. Our radically new approach, based on state-of-the-art cryptography, offers a high level of security and end-user privacy. Using the user's mobile platform as a base of trust, we eliminate the need for any central identity provider. From his mobile, a user can login and logout to online platforms and directly authorize transactions with seamlessly integrated security in the back. Moreover, this functionality is not limited to the user's mobile, one can login and logout to online platforms through any (untrusted) computer or even approve transactions from a printed receipt. n-Auth started as a COSIC project in 2013. COSIC is a world-renowned research group of KU Leuven in cryptography, security and privacy. The COSIC research covers a broad span that varies from mathematical foundations over algorithms and protocols towards efficient and secure implementations in hardware and software.
n-Auth differentiaties itself from the competition by combining the best in security, privacy and usability in one solution, that can moreover be deployed at a low cost. In each of these areas, key differentiators are:
◦ State-of-the-art in cryptography and security.
◦ Multi-layered solution on the mobile device, using an innovative key protection mechanism, PIN unlocking, security protocol, implementation security and obfuscation.
◦ No secrets database required on the server
◦ No third parties
◦ Developed by team of experts, clear technical advantage over competition
◦ No collection of user/device data to provide authentication.
◦ No third parties
◦ no tokens, no passwords to remember
◦ easy to learn and use
◦ Low cost (both deployment at end-users and server-side)
Supporting Technology (the 'magic')
Instead of issuing yet another authentication token to the user, we want to make use of a user's smart phone as a central point of trust. After analysing a myriad of available mobile authentication solutions, we discovered many weaknesses. Another common pitfall in uthentication is to split the security across software, hardware add-ons and/or cloud applications. This breaks the principle of having secure key storage, secure input and a secure display on the same entity, often creating a larger security issue than by just properly using software only. Indeed, a hardware add-on simply shifts the problem of authenticating the software app with the server to authenticating the software app with the hardware add-on. The security thus remains software based. Disappointed by the current state of authentication solutions, we set forth to create a solution that outsmarts the rest both in security and user-friendliness. Based on the experience of a renowned team of cryptographers and security experts, n-Auth was developed, incorporating state-of-the-art cryptography. With n-Auth, a user can directly login and logout from his mobile and also directly authorize transactions. With just two taps on his mobile, the user can use any (untrusted) computer to login to online platforms, without requiring any special software. During the entire secure session, continuous authentication can seamlessly validate the user's presence if required. The user also has the power to logout at any time from his mobile. Other scenarios for n-Auth include mobile payments, approving transactions from printed receipts. Instead of having a dozen of tokens, having to remember all your passwords, you can simple use your one and only n-Auth enabled device. This way, the need for a central authentication provider (e.g. OAuth, OpenId) is eliminated, which is crucial for acceptance by certain industries such as banks and for certain users. Not using a central authentication provider
drastically improves the privacy of the user, who can no longer be tracked by this provider. Moreover, it is also a security improvement, as an attacker needs to get hold of your device instead of hacking multiple accounts in the cloud at the same time. Smart backup and recovery functionality allow for continued usage of n-Auth in case of device failure, loss or theft. Different options for locking your n-Auth enabled device ensure that you can use it in hostile environments and be protected against theft and hacking. Besides having many advantages for end users, our public key enabled solution provides a huge benefit for service providers requiring authentication. n-Auth relieves them from storing any user-specific secrets; the only value that needs to be stored is useless to anyone wanting to authenticate as the user. This stands in contrast with password/PIN based solutions and even symmetric key based approaches, which are typical for authentication tokens. In these cases, an attacker getting hold of the authentication data at the server automatically gets access to all user accounts and can even approve transactions, which is devastating for a company. n-Auth thus severely limits a providers' liability. From an R&D point of view, n-Auth has several innovative ingredients: the authentication
protocol, the PIN-protection mechanism for keys, protection of the mobile application, a strong focus on usability, robust and future proof cryptography by design... We refer to our research paper for details. Each of these innovations has merits on its own, but what makes n-Auth truly unique is combining all of them in a product that is trivial for a user to learn and use.
PhD in cryptography: "Lightweight Public Key Cryptography", expertise in provable security and privacy, Software development, Management experience (board/council member at SME, non-profits and university)
Phd in cryptography: "Security Architecture for Things That Think", expertise in protocol design and usability, Software development, Business development and networking
Michael De Blauwe:
Master degree in applied economics, Senior expertise in Operations, Sales and Finance (Director and Board level), Strong skills in change management and people management
Bart Preneel (advisor):
Full professor in cryptography at KU Leuven, Active board member and former president of the International Association for Cryptologic Research (IACR). Frequently asked expert and consultant for IT security and privacy
Our team has the right mix of a strong technical expertise, the ability to implement it in a userfriendly way, business development and access to influencers to make n-Auth a success
Contacts for clients, press and partners:
Dept. Elektrotechniek (ESAT) / COSIC
Kasteelpark Arenberg 10 bus 2452