Strong authentication with mobile phone as security token

The protection of digital identities is getting more and more crucial. The usage of passwords for authentication is no longer sufficient and stronger authentication schemes are necessary. Strong authentication solutions using two identification factors require often an additional device, which could be inconvenient for the user and costly for the service providers. To avoid the usage of additional device, the mobile phone is adopted as security token. This paper provides a study of the various ways the mobile phone can be used as an authentication token towards service providers on the Internet. It starts with discussing the need for a strong authentication scheme, and the motivation for using the mobile phone to improve on several aspects of the current authentication processes. Thereafter, the general architecture for authentication with mobile phones is presented. Several different authentication solutions using the mobile phone as authentication token are then described, where the solutions vary in complexity, strength and user-friendliness. The paper ends with an evaluation of the different solutions, and a discussion of the most probable attacks. A classification of the solutions is also provided, according to defined criteria.