Parasitic Authentication To Protect Your E-Wallet

T he electronic wallet (e-wallet) has received much attention lately. It promises to consolidate many of the personal items carried around by the modern individual: wallet, phone, pager, diary, and keys. In fact, Nokia's 9001 Communicator already combines the phone, pager, and diary into one unit. The question arises, however, of how to provide user authentication. Traditional protection mechanisms require users to enter a PIN or password every time they wish to perform a transaction. More sophisticated techniques include using a biometric device, such as a fingerprint scanner, which is integrated into the e-wallet. Both of these options, have disadvantages. Usability problems due to authentication are a significant barrier to the adoption of e-wallets. In this article, we present some novel uses of existing protocols whereby a concealable, wireless, and portable device can temporarily act as an authentica-tion proxy for the user. The e-wallet then becomes a parasite—feeding off the small device for required authentication and identification information. The traditional wallet provides four main functions for the user: It holds identification information such as a driver's license, facilitates two distinct payment systems (cash and credit), and acts as a repository for temporary tokens such as bus tickets. There is little doubt that cunningly engineered cryptographic protocols can efficiently perform these wallet type functions, but can they add value? Indeed, e-wallet and smart-card developers face a daunting hurdle in convincing consumers to adopt an electronic purse. From the consumer's point of view, the credit card is an extremely attractive payment mechanism. In most legal jurisdictions, the onus is on the merchant to prove that a disputed transaction was made, thus placing very little risk with the consumer. Cash is a highly reliable payment system that has worked for centuries. How can the e-wallet compete? The verification problem Users expect some mechanism to prevent a thief from using their e-wallet. 1 This has proven quite difficult to achieve. The most obvious solution requires the user to perform some kind of identification protocol with the e-wallet before each transaction. Traditionally, the user must divulge some secret such as a password or PIN. More recent innovations have used biometrics. Neither passwords nor PINs are an ideal solution: Not only are they a weak authentication measure, they are also frequently misused. 2,3 For example, banks sometimes tell their users to use a word as their PIN since an ATM keypad has letters associated with the …