RFID Factor Authentication Application. For Trusted Identities in Cyberspace

Transcription

1 RFID Factor Authentication Application For Trusted Identities in Cyberspace Jing-Chiou Liou (1), Gregory Egan (2), Jay K. Patel (3) and Sujith Bhashyam (4) (1) Deaprtment of Computer Science, Kean University (USA) (2) Deaprtment of Computer Science, Kean University (USA) (3) Deaprtment of Computer Science, Kean University (USA) (4) Deaprtment of Computer Science, George Washington University (USA) ABSTRACT There are over 2.2 billion Internet users around the world as of December , according to the Internet World Stats (IWS) [1]. Online service is an important driving force behind many of today s Web 2.0 and cloud computing applications. For security and privacy concerns, authentication is utilized by all online services that involve online transactions and restricted information access. Authentication is the process of verifying a user s credentials when they are requesting services from any secure system. The most commonly form of authentication is the single-factor authentication, which only requires one factor for the user to log into the system. In this case, the username and password together act as a single-factor. A more secure technique is the multi-factor authentication, which requires more than one factor to gain access into a particular system. As the multi-factor authentication getting matured in its currently available methods, hostile actions have been observed against some of the multi-factor authentication techniques. In this paper, we propose a RFID Factor Authentication Application (RFAA); an enhanced technique from SofToken [2] that acts as an improved technique for two-factor authentication. The RFAA not only sustains the next level of security but also is proven to prevent most of security breaches. This RFID enhancement on SofToken is designed especially for computer system access using two-factor authentication to improve the security measure. Keywords: Encryption, Multi Factor Authentication, Radio Frequency Identification 1- INTRODUCTION Throughout the decades, computers have emerged and changed everything around the world. As IBM PC celebrates its 30 th birthday, it is becoming absolutely necessary to use computing technology in our daily lives. Today, any information can reach any part of the world any time wherever computers and the Internet are available. In today s society, the Information Technology (IT) and the Internet have played considerable roles among the daily lives of the people around the world. In this information technological age, computers have changed the way how we live, as they are not only capable of sharing information but also provide portability and services over the Internet anytime and anywhere. Computers take communication beyond the definition of communication. With the use of computers, anybody can communicate immediately with anyone around the world. There are over 2 billion Internet users around the world as of March 2011, according to the Internet World Stats (IWS) [1]. Through technological advancement, information is currently shared and accessed over millions of servers without boundaries. All these conveniences brought by the advancement of Information Technology come with a cost, information security. As the Internet plays a critical role in modern society, cyber crime costs the British economy some 27 billion pounds ($43.5

2 billion) a year and appears to be "endemic," according to the first official government estimate of the issue published in February, 2011 [3]. To bring about increased security and prevent confidential information and restricted applications from falling into wrong hands, a user identity must be confirmed before any online transaction can occur. An online user identity is usually established with certain measures on access control and user authentication. To boost up the cybersecurity, The National Strategy for Trusted Identities in Cyberspace (NSTIC) proposed by the White House in April 2011 is for the creation of secure and reliable online credentials that would be available to consumers who want to use them [4]. Later, in May 2011, the White House also proposed that it would give the Department of Homeland Security the authority to work with industry to come up with ways to secure their computer systems and protect against cyber threats [5]. Authentication is the process of verifying a user s credentials when they are requesting services from any secure system. A simple authentication only involves a username and password and this can be easily deciphered. Adding a strong factor will reduce the chances of the user s identification from being hacked. For the second factor, we will use Radio Frequency Identification (RFID) to provide the user a personalized factor of authentication access a secure server or website. Users will be asked for username/password along with an extra code word to verify to advance access. The RFAA method is a server/client procedure that allows for secure login into a server and permits the client to perform secure transactions. In this paper, we will discuss in Section 2 the single-factor authentication, the two-factor authentication and other authentication methods that are available today. In section 3, we will review RFID technology and propose RFAA for two-factor authentication. The Blowfish encryption and decryption algorithm will be also discussed. We then compare the security measures with other authentication techniques in section 4. Finally, in section 5, we conclude our discussion and project on possible future works. 2- BACKGROUND Information stored in many IT systems is usually confidential. Accessing to such information is restricted and requires some security verification of valid user and user privileges. Authentication is the process of verifying users identities when they are requesting services from any secure system. During the authentication process, several validation factors may be needed for verification of the client s identity. An authentication factor is a portion of information that is given by the client and used to verify identity the client who is applying for access under certain security constraints. The authentication factor is usually one of three techniques: proof by knowledge (e.g., username/password), proof by possession (smartcard or token), or proof by property (fingerprint scan). 2-1 Single-Factor Authentication Single factor authentication (S-FA) relies on only one factor. The most common method in S-FA is a set of username/password or PIN. In security lexicon this is referred to as the what-you-know factor. Although still widely used by most merchants and financial institutions due to lack of a low cost alternative, authentications based solely on passwords have been considered to be a weak technique especially when used for valuable online transactions. Security concerns for S-FA are not only prevalent, but they are also apparent in today s society, especially when a prolific amount of the user s data is located on a server or an online website. Secure passwords are often difficult to remember, as well as people have multiple passwords and usernames to remember. For passwords that are easy to remember, they are conveniently suffered from various forms of software attacks. In a study by a data security firm [6] that analyzed 32 million passwords exposed in the Rockyou.com breach in December 2009, the top five most common passwords among those 32 million users are: , 12345, , Password, and iloveyou. Even using secure passwords, phishing and spoofing attacks may use a site that looks like a legitimate one to tricks the user into supplying the password. As a matter of fact, news on October 8, 2009 reported that phishing scheme almost catches FBI Chief [7].

3 In addition, people usually don t change their passwords frequently. It was reported, in some cases, that less than 25 % of people change their password monthly and some 34% in a survey said they never change their passwords [8]. Therefore, a keystroke logger can be installed physically [9] or in the form of software to catch passwords entered manually on a login screen. As there are many passwords to remember, many people keep a file, a form of book-keeping, which includes their passwords on their computer. Hackers who are able to reach that file can obtain the person s all username/password information. One improvement in S-FA is to utilized password management utility. Password management is achieved by using various password valet applications, such as RoboForm [10] and KeePass [11], which store user passwords and can automatically enter the required fields in a web form. The software typically has a local database or files that hold the encrypted password data. Many password managers also work as form filler, thus they fill the user and password data automatically into forms. Moreover, the data is still kept on the host computer or device and can potentially be stolen through browser exploits, Trojan horses, etc. Still the data is vulnerable to spoofing and phishing attacks. Finally, if the password manager corrupted, all passwords would be lost unless there is a backup process that adds to another security issue. 2-2 Two-Factor Authentication Two-factor authentication requires an extra factor while using username/password. Using two factors as opposed to one factor generally achieves a higher level of authentication assurance. The FFIEC issued supplemental guidance on this subject in August 2006 [12], "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category... would not constitute multifactor authentication." Generally, this second factor takes the form of a physical security token or smart card that the user has in his/her possession. In this case, some application may also use mobile phone and other personal devices. One of the examples is the use of ATM card issued by any bank. One authentication factor is the physical ATM card that the customer slides into the machine. The second factor is the PIN the customer enters. Without both, authentication cannot take place. Another application of the second factor may be a biological factor, such as a fingerprint scan. This is referred to what you are factor. Use of this technique requires special hardware to scan the input data, thus having a higher complexity and cost in deployment. To improve on security, the information in the what you are factor should be changed as time progresses. Hence, the information would no longer be valid if at all it is stolen and re used. This use-once-only password is known as a One Time Password (OTP) Smart Card Smart card [13] is a successor of magnetic card that is widely used in credit cards, debit cards, ATM cards and ID badges. The number on the smart card changes each time (hence is an OTP), in which that number cannot be re-used as long as all processing is authenticated. Smart cards are about the same size as a credit card and require a special reader. The downside is that the smart card is not a small device and the card reader is an extra expense. Moreover, the smartcard and the reader also require special middleware application due to the mismatch between smart card communication standards [14] and the communication protocols [15] used by mainstream PC applications. The deployment complexity and cost have limited its application within the government or enterprise environments that sometimes perform both the function of a proximity card and network authentication. Users can authenticate into the building via proximity detection and then insert the card into their PC to produce network logon credentials. They can also serve as ID badges Biometrics Users may biometrically authenticate via their fingerprint, voiceprint, or iris scan using provided hardware and then enter a PIN or password. For many biometric identifiers, the actual biometric information is rendered into string or mathematic information.

4 The device scans the physical characteristic, extracts critical information, and then stores the result as a string of data. Comparison is therefore made between two data strings, and if there is sufficient commonality a pass is achieved. One problem that is apparent with biometrics is that if a large number of users are being authenticated at the same time, the technique may become unacceptably slow and comparatively expensive. It is also an easy target for a reply attack. Once the biometric information is compromised (for example, fingerprint is being copied from something the user had held), it may easily be replayed unless the reader is completely secure and guarded Security Token Security tokens, also called OTP tokens, have an LCD screen that displays fixed number of alphanumeric characters. The OTP tokens are mainly based on two types of algorithms: time synchronized and event-based. Time synchronized algorithm produces a pseudo-random number with a built in pseudo-random number generator. Pseudo-random number changes at pre-determined intervals, usually every 60 seconds. Event-based algorithm such as that proposed by the Open Authentication (OATH) consortium [16] uses a user event, such as the user pushing a button on the token. Some devices, such as RSA SecurID [17] as shown in Fig. 1 (a) and VeriSign [18] as shown in Fig. 1 (b), display 6 digits pseudo-random number and require periodically resynchronize the server with the token. Taking portability into account, these security tokens must use materials that are small and consume less power. Still, these tokens need to be replaced every few years when the battery is dead. In addition, once the token is lost, the time and cost to replace can frustrate the user due to not being able to access their data. Finally, the security tokens do not prevent Man-in-the-Middle (MitM) based attacks against online transaction along with being unable to defend against malicious users who could use the legitimate user's credentials for authorizing an illegitimate operation as explained in [19]. Recent security breach of RSA SecurID token [20] shows the techniques has been a target of security attack that has significant impact on security of online transactions and services Virtual Token Fig. 1 (a) RSA SecurID token as in key fob (b) VeriSign security token Virtual tokens are a comparably new concept in multi-factor authentication, first introduced in 2005 by a security company, Sestus [21]. Virtual token enables any portable storage devices to work as an authenticate token, that s a protected file stored on the device for authentication. Virtual tokens reduce the costs normally associated with implementation and maintenance of multifactor solutions by utilizing the user's existing portable storage device. Since the user's portable storage device is communicating directly with the authenticating website, the solution claims to not suffer from man-in-the-middle attacks and other forms of online fraud.

5 2-2-5 Software Token There are two primary architectures for software tokens: Shared secret and public-key cryptography. Shared secret architecture is considered more vulnerable than the hardware token. The configuration file can be compromised if it is stolen and the token is copied. The generation of token code is not triggered by the server, but is on client s device(s). User enters the PIN to the installed application, and the client software generates the tokencode. The major concern with such time-based software tokens is that it is possible to borrow an individual's cell phone or laptop, to set the clock forward, and to generate token codes that will be valid in the future. In addition, anyone who provides the PIN correctly can retrieve the tokencode and use it for two-factor authentication on a web server from any cloned devices, such as an SIM card in a cell phone, or a USB installed with such application. Fig. 2 RSA (a) SecurID Software Token (b) Software Token 1.1 for iphone Devices As an example shown in Fig. 2, RSA SecurID software tokens [22] basically support the same algorithms as their RSA SecurID hardware authenticators. Therefore, like its hardware token, its software token produces 6 or 8 digits number, called tokencode, and display next tokencode, every 30 or 60 seconds. For online transaction service, it requires, in addition to a web server, RSA Authentication Manager for token provisioning. 2-3 SofToken Technique SofToken was firstly introduced in 2010 by Liou and Bhashyam [2]. SofToken, rooted on software token, sends not just a pseudo-random number (an OTP), but also the encrypted key to the server for authentication. The technique significantly improves on feasibility and deployment cost of the two-factor authentication. Fig. 3 SofToekn Codeword Generation after Successful Validation of First-Factor

6 The logon application will provide the user the codeword as shown in Fig. 3. The user is now able to enter the codeword as the second-factor authentication. The codeword will be verified again by the server. Depending on the codeword, if it is correct the server will grant access to the database otherwise it will close the connection. SofToken acts as second-factor authentication. Moreover, since the codeword is triggered by the request of the server, supplying the first factor to the server will only generate the codeword from the computer that has the pseudo random number generator installed. This means that the user s computer is registered to the server. After every successful authentication, a new encrypted public key will be sent to the user s computer as the next seed of pseudo-random number generation Therefore, another user of the service provider will not be able to hijack other user s username and password to gain access to the server because the codeword generated would be different from different computers. 3- RFID FACTOR AUTHENTICATION APPLICATION (RFAA) RFAA is an enhancement process of SofToken. RFAA will required a hardware specification that will be used as second factor authentication. 3-1 Radio Frequency Identification Technology RFID has been widely used in many technological applications today as it is both inexpensive and small enough to fit anywhere. Recently, the US government announced ongoing process to integrate RFID into Green Cards and US passports [23, 24]. Fig. 4 illustrates an example of RFID reader and tags. The main concept of RFID is to retrieve the information stored in the tokens using radio signals. RFID tags will communicate with an electronic reader equipped with one or more antennas to emit radio waves and to receive signals back from the tag that contains pre-stored information. The electronic reader then passes the information in digital form to the computer system. There are three types of RFID tokens, active tokens, passive tokens, and battery assisted passive. The active tokens contain a little size battery and transmit signals. The passive tokens do not contain a battery and it needs an external source to fetch the signals. The battery assisted passive requires peripheral source to provoke to achieve high range. Since RFID tokens are small by nature, it is cost effective to build and distribute to different users. As the RFID tokens can be produced on mass scale by the service provider, the cost to the user would be very low and can be replaced easily if ever lost or stolen. Fig. 4 RFID Reader & Tags Currently, the RFID readers and tokens are being used for a variety of tasks ranging from tracking merchandise in a warehouse to storing personal information in an official document such as passports. With many RFID applications in the market, such as RFID tokens in passports and identification badges, protecting the information on those tags has become an important issue. As a result, many institutions are developing a variety of methods that might increase the security of RFID tokens. The use of the Blowfish algorithm in conjunction with the RFID reader and tokens would increase the

7 number of options for businesses, schools, and governments in order to make communication safer between the client and server. 3-2 RFAA Process One alternative for computer system access in SofToken [2] enabled systems is to use RFID technology as the physical device to store the encrypted key. It simply feeds the password into the computer for authentication. The RFID reader and its respective tokens will act as Two Factor Authentication. Once a user scans RFID tags the code word will go through encryption method to cipher the code word and then sends it to server and server will go through decryption to convert cipher into original code to verify. We will use Blowfish algorithm to tighten the security of encrypting the code word. Using RFID for authentication is not new in technology development. One way of securing the information stored on RFID tokens is to encrypt the information data stored on the token. Another method would be, as mentioned earlier, is to use an application that would use an algorithm that encrypts the data being sent from the client computer to the server, when conducting online transactions. As one option to the two-factor authentication, the RFID tokens and reader combined with the Blowfish algorithm encrypts the data that is being sent from the client to the server. We propose the RFAA technique as a more secure form of authentication. RFAA captures appealing ability to sustain security measures. In RFAA process, RFID passive tokens are used as the second form of authentication. Every RFID tokens stores preformatted information to enhance security. In RFAA, the RFID Token ID is encrypted using the Blowfish Algorithm RFAA Binding Process When request for establishing new user account, the user will receive an RFID token and install client application software onto user s computer(s). The user will also receive a unique activation key, along with entering the username/password and scanning the RFID token, to activate the new user account as the user computer is yet registered as the default computer. After the completion of registration process, the user can login to the system by only entering username/password and to scan the provided RFID token. This activation key will be also used to enhance portability for providing a user to access the server from non-default computers. As shown in Fig. 5, the user will be prompted to enter their activation key upon putting a check mark on This is not my default PC. A one-time-use temporary activation key will be ed to the user s designated address. Fig. 5 RFAA Login Screen Each registered has its own activation code. In the case that a user s id and password are stolen, the attacker will not be able to use the same or any other RFID tag as the second factor for authentication due to the binding process. If the attacker s computer cannot supply the activation code associated with the computer registered by the true owner, the binding process will fail. Hence, the stolen user s id,

8 password and even the RFID tag cannot perform the authentication unless the binding process is invoked, 3-3 RFAA Encryption Algorithm Blowfish algorithm, designed by Bruce Schneier [25], is a symmetric cryptographic block cipher that uses 64 bits and the key can be any length up to 448 bits. Blowfish algorithm is proven to be faster than DES and IDEA that makes it one of the fastest block ciphers. The implementation of Blowfish only requires about 5kB of memory, which is insignificant comparing to the RAM installed on a computer today. Blowfish encryption provides even stronger security to the proposed RFAA technique. Fig. 3 shows how does the Blowfish encryption is being used. In RFAA implementation, RFID tokens contain tencharacter codeword long and that is exactly 80 bits for the whole string. Encryption will be applied twice for 80 bits since Blowfish only allows 64 bits per encryption. As shown in the Fig. 4, encryption will divide the 80-bits codeword into two 40-bits datawords. It will pad 40 bits to 64 bits during encryption and same procedure takes place for other 40 bits. Now encryption will again divide the 64 bits encrypted code into 32 bits since each line represents 32 bits. The algorithm keeps two sub keys arrays; eighteen 32 bits of P-array and four 32 bits of S-array. As they all are generated by a pseudo-random generator, therefore, it is extremely hard to decrypt. Blowfish will create a secret key to encrypt the message and RFAA application will then pass the same key to server to decrypt the ciphertext. As shown in Fig. 6, the left 32 bits are XORed with the first number of a P-array to create new value of P-array, known as P, after that it will run through function called F, then XORed with the right 32 bits of the string to produce a new value of F, known as F. Fig. 6 The RFAA Encryption Flow Chart The process of function F is shown in the Fig. 7. F will replace the left half of the string and P will replace the right half, and the process will then be repeated fifteen more times. Near at the end, the P and F are XORed with the last two numbers in the P-array, and then conjoin to create the 64-bit. Encryption will run again for the rest of the string to produce 64 bits code. At the end of both encryptions, both encryptions will recombine to produce 128-bit encrypted ciphertext. Users will be

9 prompted to scan RFID tokens during authentication session. Encryption will be then provoked every time user scans the RFID tokens. RFAA provides the same security measure for the server as well the client. The decryption is as important part of the authentication as the Encryption. When a user try to access to any system, user will be prompt to use RFID tokens to authenticate themselves. When a user scans RFID tokens, username/password, codeword, and a secret key will be conceded to server. With this secret key, server will be able to decrypt the codeword. The codeword will be an OTP just like the secret key. Decryption will work exactly the opposite way of encryption. The decryption process in Blowfish Algorithm is to capture the same measure of security as the encryption process. Without the secret key, the server will not be able to decipher anything. Fig. 6 The Process of Function F 4 COMPARISON OF CURRENT AUTHENTIATION TECHNIQUES Performance Table 1: Comparison of Single-Factor and Two-Factor Authentication Techniques Username/ password Smart Card Biometrics Security Token Virtual Token Software Token SofToken RFAA Hardware requirement Low High High Medium Medium Low Low Medium Deployment complexity Low High High High Medium Low Low Low Portability High Medium High Medium Medium Medium Medium Medium Identity backup High Low High Low Medium High High High Lost recovery High Low High Low Medium High High High Replace cost Low High Low High Medium Low Low Medium MitM prevention Weak Medium Weak Medium Strong Medium Strong Strong Phishing prevention Weak Strong Medium Strong Strong Medium Strong Strong Spoofing prevention Weak Strong Medium Strong Strong Medium Strong Strong

10 Each technique used for two factor authentication addresses certain security issues while bringing some feasibility issues and other security concerns. In this section, we compare most current two-factor authentication techniques to identify their strengths and weaknesses. Each techniques used for twofactor authentication involves certain security issues. Table 1 compares the single-factor and two-factor techniques mentioned in this paper with RFAA in six feasibility and three security measures. Those best in the class are highlighted in bold and are in italic font. 4-1 Feasibility Measures There exist six feasibility measures that can be categorized into two groups: cost and deployment. Each of these six measures may appear in both categories based on their specific requirements. Hardware requirement: This measure identifies the hardware cost for both the server and the users. The single-factor authentication, of course, has the lowest hardware requirement. RFAA technique requires a RFID reader and token for the client side. Among the two-factor techniques, only the software token and SofToken that achieve a low requirement whereas the RFAA technique achieves a medium requirement due to the RFID reader and tokens that will be needed by different user devices to authenticate the user. Deployment Complexity: This measure indicates how difficult it is to deploy the technique. In this measure, again, single-factor achieves low complexity. Most of the two-factor techniques have high complexity except virtual token, SofToken and RFAA, which achieve low complexity due to the straightforward process of deploying the required hardware and software. Portability: This is the measure indicates how the easy for users to use the particular product. In this measure, the single-factor techniques scores high portability, however it fails to protect the user s credentials due to it being highly susceptible to attacks. All the techniques that require the second factor, except for biometrics, only reach medium portability, since the user must carry multiple devices for authentication. RFAA, for instance, requires the user to carry the reader and tokens to connect to other devices in order for two-factor authentication. Identity backup: This measure shows how difficult to get the identity recovered if stolen or lost. As appears in Table 1, the non-otp single factor, biometrics, software token, SofToken and RFAA will produce high possibility of identity backup. RFAA will achieve high possibility of identify backup since the user can easily set up a new account and register RFID tokens to the account without worrying about the old credentials. Moreover, the user can register with new RFID tokens and credentials without worrying about any security breach into their account. Lost Recovery: This is about the loss of second authentication form. In two factor techniques, only biometrics, software token, SofToken and RFAA achieve high in this measure. RFAA scores high in this category because the user can replace the RFID token and easily register the new tokens to the server if they ever lose their tokens or if they become stolen. Replacement cost: This measures the cost of replacing damaged or lost device that is used for authentication process. Some techniques will score low since there is no additional device to perform two factor authentications. SofTokens, biometrics, software token will also achieve low since there are applications to be installed into the clients PC. On the other hand, RFAA scores a medium in this category since it requires little cost to replace the RFID reader and tokens. 4-2 Security Measures We will compare the three security measures for different authentication techniques. These will demonstrate that we should not use the single-factor authentication as it performs the worst in each of these measures. MitM prevention: Single factor techniques are more vulnerable to this type of attack. However, Virtual Token, SofToken and RFAA provide better security prevention than any other techniques for MitM prevention.

11 Phishing Prevention: Most of the OTP techniques will perform strong in this measure. Software token achieves only medium because the second factor is not triggered by the server and it display next token code every second. Although the biometrics technique may also use special logon software for the second factor, the biometrics information may be caught and decrypted. RFAA scored strong in this category due to its ability to prevent third parties from accessing user s credentials. Spoofing Prevention: The single factor does not achieve high in this measure due to it being incapable of protecting the user s identity from unauthorized parties. RFAA, along with many other two factor techniques, scored strong in this category due to providing extra factors of protection and their ability to prevent unauthorized access to the user s account. 5 CONCLUSION By far, the most popular authentication technique is a basic username password based method that is commonly considered to be a weak technique of authentication. A more secure method is the multi factor authentication that verifies not only username password pair, but also requires a second or third unique physical or biological factor. The feasibility of multi factor authentication is inhibited by its deployment intricacy, and by the cost of building, maintaining, and re-deploying the hardware needed by multi factor authentication as well. The Internet online transactions require a more feasible and secure means of authentication. Toward the ends, in this paper, we proposed the RFAA technique, a RFID application in two-factor authentication for more secure identification. SofToken is a preceding technique of RFAA, in which the RFAA can be used for both online transactions and computer system access as opposed to the SofToken application that primary addresses to online transaction security. The comparison between RFAA and the other techniques indicates that the RFAA scores highly in many categories due not only to its characteristics, but also its ability to maintain a higher level of security for the users. REFERENCES [1] Internet World Stats [2] J.-C. Liou and S. Bhashyam, On Improving Feasibility and Security Measures of Online Authentication, IJACT : International Journal of Advancements in Computing Technology, Vol. 2, No. 4, pp. 6 ~ 16, [3] The cost of cyber crime [4] The White House on National Strategy for Trusted Identities in Cyberspace [5] The White House proposal on cybersecurity [6] Imperva Releases Detailed Analysis of 32 Million Breached Consumer Passwords ion_passwords.html [7] Inside tech news October 8, Retrieved on 1/21/ [8] S. Furnell. Computer Insecurity: Risking the System, pp. 54 pp.56, Springer, London, UK, 2005.

12 [9] Spy keylogger [10] Roboform official site [11] Keepass official site [12] FFIEC press release [13] T.M. Jurgensen and S.B. Guthery, Smart Cards, Pearson Education, Inc., [14] ISO/IEC :1997 Information technology Identification cards Integrated circuit(s) cards with contacts Part 3: Electronic signals and transmission protocols, International Organization for Standards; [15] Postel, J. Internet Protocol, RFC 791, and Transmission Control Protocol, RFC 793 September 1981 [16] Open Authentication Consortium supports event based, and even time based OTP algorithms, [17] RSA security [18] VeriSign [19] SC Magazine, Web Application Security in Un-trusted Client Scenarios, [20] RSA SecurID breach shows why everybody must stay vigilant, eweek, March 20, Vigilant / [21] Virtual Token multi-factor authentication [22] RSA SecurID software token and [23] RFID News Organization [24] PCWORD, [25] Bruce Schneier