IBM scientists have developed a new mobile authentication security technology based on the near-field communication (NFC) radio standard. The technology provides an extra layer of security when using an NFC-enabled device and a contactless smartcard to conduct mobile transactions. Today many consumers use two-factor authentication from a computer, for example, when they are asked for both a password and a verification code sent by short message service (SMS). IBM scientists are applying the same concept using a personal identification number (PIN) and a contactless smartcard. The contactless smartcard could be a bank-issued ATM card or an employer-issued identity badge.

"Our two-factor authentication technology based on the Advanced Encryption Standard provides a robust security solution with no learning curve," said Diego Ortiz-Yepes, a mobile security scientist at IBM Research.

The user simply holds the contactless smartcard next to the NFC reader of the mobile device and after keying in their PIN, a one-time code would be generated by the card and sent to the server by the mobile device.

The IBM technology is based on end-to-end encryption between the smartcard and the server using the National Institute of Standards & Technology (NIST) AES (Advanced Encryption Standard) scheme. Current technologies on the market require users to carry an additional device, such as a random password generator, which is less convenient and in some instances less secure.

The technology, which is available today for any NFC-enabled Android 4.0 device, is based on IBM Worklight, a mobile application platform that is part of the IBM MobileFirst portfolio. Future updates will include additional NFC-enabled devices based on market trends.