Digital signature with smartphone for Online Banking

Cloud-based platform to implement digital signing, strong authentication and secure messaging operations via user smartphone

Certificate manager

A convenient and secure user interface of online banking is vital for success of any contemporary bank. In the context of cyber security of Online Banking service (OBS), the most sensitive data to protect are transactions with customer accounts, and, consequently, digital signing transactions. The cloud technologies of digital signing are the most convenient to end-users, as these methods do not require additional cryptographic devices (tokens, smart cards etc.). However, the absolute majority of cloud signature implementations center around user authentication via SMS and key information being stored at servers in HSM. In other words, a user does not possess the private keys used in cryptographic operations. The Indeed AirKey Cloud (Indeed AK Cloud) platform uses a completely new approach to the task, utilizing the asymmetric cryptography and PKI infrastructure.

Business benefits

Secure replacement of SMS

As distinct from SMS message, where the information is sent in non-secure form, Indeed AK Cloud encrypts all data sent to the user smartphone with asymmetric algorithms. This guarantees that the data can be viewed only on the device it is intended for.

User convenience

A user sees all the details of a transaction to be signed in a push notification. The confirmation procedure takes up a pair of taps on smartphone screen.

Solution flexibility

Our solution makes it possible to implement all the types of digital signature on a smartphone. This allows for solution adaptation to the current needs and for easy adaptation of new scenarios as they come out.

A user possesses his/her private key

The private keys used for cryptographic operations are always generated within the user smartphone and never leave its memory. This guarantees that the user himself/herself is the owner of the private key in digital signature scenarios. Therefore, a company is released from the need to store the private keys on its side.

Solution key features

No need to install additional software

The Indeed AK Cloud mobile application is a self-contained method of digital signature. A user does not need to obtain and install additional software and hardware to PC or tablet, purchase a separate device to store digital signature key, install drivers, web plugins etc.

Push message explicitly notifies a user of digital signature operation being started

Each digital signature operation starts with explicit notification of a user via sending a push message to his/her smartphone. As distinct from SMS, a push message is cryptographically protected from interception and forgery (as it is signed with AK Cloud server digital signature).

Transaction details are displayed on smartphone screen

A user can view transaction details on the smartphone screen before confirming the operation.

Digital signature key remains on smartphone

Digital signature key generation, as well as generation of request to issue a key certificate for signature verification, and signing operation itself - all these are performed on a smartphone. Digital signature key is stored in smartphone memory, never leaves it and is not synchronized with the cloud.

Protection of access to digital signature key with password and Touch ID

The procedure of user access to digital signature key requires that the user knows the password. The devices with biometric sensor can also use Touch ID or similar biometric technology to protect the digital signature key.

Integration via SMPP protocol

To migrate from SMS confirmation to secure push notifications seamlessly, you can use SMPP protocol. This makes it possible to connect AK Cloud to OBS system without any tweaks. OBS would still send one-time passwords (ОТР) via SMPP gateway, whose role is played by AK Cloud server.

Using SMS as backup method of transaction confirmation

When it is not possible to deliver a push notification to user (say, in case of no 3G communication available), the system may send SMS messages. This makes OBS operations possible even in low communication conditions.

Description of Indeed AirKey Cloud solution

Indeed AirKey Cloud is a client-server platform. The client is mobile application running under iOS or Android operating system. Indeed AK Cloud application makes a simple to use digital signature method out of a smartphone. A user does not need to obtain a smart card or install additional software. Application usage is as simple as receiving SMS messages and replying to them.

Air key cloud scheme

Digital signature in OBS using a smartphone

Online banking service tools are commonly used nowadays. Regulatory requirements force financial institutions to use enhanced encrypted certified digital signature technology to protect and confirm transactions. In fact, this means that every OBS user has to obtain, install and properly use cryptographic service provider (CSP) and digital signature. The question of storing the digital signature key on a security device external to PC (USB disk, smart card or USB token) is specifically singled out.

Described approach requires a certain competence level from a user. Lack of this competence induces a large number of calls to OBS technical support. Another problem to mention is that security of PC environment where smart card is used cannot be guaranteed. This gives rise to fraudulent activities intended to steal money of OBS user.

Indeed AirKey Cloud makes it possible to solve these problems in a new way. A digital signature user does not have to make any complex preparations. He or she gets a convenient and fully functional method of digital signature by simply installing the application to smartphone.

Comparison with a classic smart card

Characteristic Indeed AirKey Cloud Classic smart card
Form factor Smartphone USB key, card, MicroSD
Memory available for key and certificate storage Limited only by smartphone memory up to 90 Kb
Processor Smartphone CPU is used Cryptographic microprocessor
Cryptographic algorithm support
  • AES
  • RSA
  • SHA-1
Depends on the manufacturer.
Digital signature Yes Yes
Authentication in web applications using tablet PC Yes, fully supported. Limited support:special version of tablet PC is required along with additional software installation
Opportunity to enter PIN code not on the user PC (keylogger protection) Yes, PIN code is entered on smartphone Limited support: a separate device is required
Display of transaction details not on the user PC Yes, smartphone screen is used Limited support: a separate device is required
Remote removal of keys and certificates from the user device Yes No
Biometrics support Yes. Smartphone built-in technology is used. Yes. A separate device with match-on-card technology support is required.

Integration to OBS

Integration of Indeed AirKey Cloud product to a target system is performed via incorporating WebAPI calls from the target system server to Indeed AK Cloud Server.

The Indeed AK Cloud mobile application is installed by user from App Store on his/her own. No additional software components are to be installed on a user PC or tablet PC.

Indeed AK Cloud scheme

Air key cloud scheme
case for your industry

Learn how the implementation of new technologies will help to solve the problems of information security in different industries.

Indeed for industry