Android users can ditch their passwords and instead wave a contactless smart card over their phone or tablet to securely log in to apps and access encrypted data.
A London-based startup has launched a system that uses a contactless smart card as a key to secure NFC-enabled Android devices.
Hoverkey can be used to automatically enter a complex password into a mobile login screen by touching a card to the device rather than typing it in. This, the company says, means that IT departments can mandate strong passwords to protect enterprise apps and data without meeting the usual user resistance.
The solution comprises a contactless card that establishes a mutually authenticated secure channel via NFC with a Hoverkey app running on the Android device. On first use the user’s credentials are registered with the Hoverkey app, then transmitted over the secure channel to a Java Card applet running on the card, where they are encrypted. The resulting encrypted object is returned to the app for storage.
On subsequent uses when the card is tapped against the device the encrypted object is passed to the card, which then verifies its integrity and decrypts it before returning plaintext credentials over the secure channel to the app.
“Hoverkey is fast, authenticating in just a couple of seconds,” says the company. And, since it does not require a data connection, it continues to work even when devices are offline or outside wireless coverage areas.
The app and card combination can be used as a password store for third party mobile apps that have been Hoverkey-enabled, which involves integrating a Hoverkey Button user interface widget.
App developers can encrypt data stored on the device with keys derived from very complex passwords and let Hoverkey do the hard work of remembering and entering these passwords on behalf of the user.
Hoverkey is straightforward to integrate, says the company. “Most apps can support it within a few hours, making it a breeze for companies to really differentiate themselves in a crowded marketplace” adds Hoverkey’s Martin Alderson.
A developer kit containing two Hoverkey cards is available for £79/US$99 from the company’s website, along with a free SDK. Support for Windows Phone 8 is planned, with iOS devices getting Hoverkey “as soon as Apple integrate NFC hardware into their devices.”