{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,12]],"date-time":"2025-10-12T04:13:31Z","timestamp":1760242411168,"version":"build-2065373602"},"reference-count":25,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2017,7,6]],"date-time":"2017-07-06T00:00:00Z","timestamp":1499299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Traditional authentication methods (e.g., password, PIN) often do not scale well to the context of mobile devices in terms of security and usability. However, the adoption of Near Field Communication (NFC) on a broad range of smartphones enables the use of NFC-enabled tokens as an additional authentication factor. This additional factor can help to improve the security, as well as usability of mobile apps. In this paper, we evaluate the use of different types of existing NFC tags as tokens for establishing authenticated secure sessions between smartphone apps and web services. Based on this evaluation, we present two concepts for a user-friendly secure authentication mechanism for mobile apps, the Protecting Touch (PT) architectures. These two architectures are designed to be implemented with either end of the spectrum of inexpensive and widely-available NFC tags while maintaining a reasonable trade-off between security, availability and cost.<\/jats:p>","DOI":"10.3390\/info8030081","type":"journal-article","created":{"date-parts":[[2017,7,6]],"date-time":"2017-07-06T10:55:45Z","timestamp":1499338545000},"page":"81","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Protecting Touch: Authenticated App-To-Server Channels for Mobile Devices Using NFC Tags"],"prefix":"10.3390","volume":"8","author":[{"given":"Fernando","family":"Carvalho Ota","sequence":"first","affiliation":[{"name":"Banco do Brasil S.A., 70790-125 Bras\u00edlia, Brazil"}]},{"given":"Michael","family":"Roland","sequence":"additional","affiliation":[{"name":"University of Applied Sciences Upper Austria, 4232 Hagenberg, Austria"}]},{"given":"Michael","family":"H\u00f6lzl","sequence":"additional","affiliation":[{"name":"Institute of Networks and Security, Johannes Kepler University Linz, 4040 Linz, Austria"}]},{"given":"Ren\u00e9","family":"Mayrhofer","sequence":"additional","affiliation":[{"name":"Institute of Networks and Security, Johannes Kepler University Linz, 4040 Linz, Austria"}]},{"given":"Aleardo","family":"Manacero","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Statistics, S\u00e3o Paulo State University\u2014UNESP, 15054-000 S\u00e3o Jos\u00e9 do Rio Preto, Brazil"}]}],"member":"1968","published-online":{"date-parts":[[2017,7,6]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1109\/MSP.2004.81","article-title":"Password Memorability and Security: Empirical Results","volume":"2","author":"Yan","year":"2004","journal-title":"IEEE Secur. Priv."},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Greene, K.K., Gallagher, M.A., Stanton, B.C., and Lee, P.Y. (2014). I Can\u2019t Type That! P@$$w0rd Entry on Mobile Devices. Human Aspects of Information Security, Privacy, and Trust (HAS 2014), Springer. LNCS.","DOI":"10.1007\/978-3-319-07620-1_15"},{"key":"ref_3","unstructured":"Schartner, P., and B\u00fcrger, S. (2011). Attacking mTAN-Applications Like e-Banking and Mobile Signatures, University of Klagenfurt. Available online: https:\/\/syssec.at\/Publikationen\/TR1101.pdf."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Konoth, R.K., van der Veen, V., and Bos, H. (9603). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Financial Cryptography and Data Security (FC 2016), Springer. LNCS.","DOI":"10.1007\/978-3-662-54970-4_24"},{"key":"ref_5","unstructured":"FIDO Alliance (2017, July 03). FIDO NFC Protocol Specification v1.0, 2015. Implementation Draft. Available online: https:\/\/fidoalliance.org\/specs\/fido-u2f-nfc-protocol-id-20150514.pdf."},{"key":"ref_6","unstructured":"FIDO Alliance (2017, July 03). Universal 2nd Factor (U2F) Overview. Available online: https:\/\/fidoalliance.org\/specs\/fido-u2f-overview-ps-20150514.pdf."},{"key":"ref_7","unstructured":"Yubico (2017, July 03). YubiKey NEO \u2013 Premium Strong Two-Factor Authentication for Secure Logins. Available online: https:\/\/www.yubico.com\/products\/yubikey-hardware\/yubikey-neo\/."},{"key":"ref_8","first-page":"91","article-title":"Authentication Systems Using ID Cards over NFC Links: The Spanish Experience Using DNIe","volume":"31","author":"Reina","year":"2013","journal-title":"Procedia Comput. Sci."},{"key":"ref_9","unstructured":"Horsch, M., Braun, J., and Wiesmaier, A. (2011). Mobile eID Application for the German Identity Card, TU Darmstadt. Available online: http:\/\/www.cdc.informatik.tudarmstadt.de\/reports\/TR\/Mobile_eID_app_for_the_German_ID_card.pdf."},{"key":"ref_10","unstructured":"WISeKey (2017, July 03). VaultIC150\/150D\/152. Available online: https:\/\/www.wisekey.com\/vaultic\/secure-solutions\/vaultic150-150d-152\/."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Urien, P. (2010, January 17\u201321). Introducing TLS-PSK authentication for EMV devices. Proceedings of the International Symposium on Collaborative Technologies and Systems (CTS 2010), Chicago, IL, USA.","DOI":"10.1109\/CTS.2010.5478489"},{"key":"ref_12","unstructured":"Elenkov, N. (2017, July 03). Dissecting Lollipop\u2019s Smart Lock. Available online: http:\/\/nelenkov.blogspot.com\/2014\/12\/dissecting-lollipops-smart-lock.html."},{"key":"ref_13","unstructured":"Duc, D.N., Lee, H., Konidala, D.M., and Kim, K. (2009, January 9\u201312). Open issues in RFID security. Proceedings of the International Conference for Internet Technology and Secured Transactions (ICITST 2009), London, UK."},{"key":"ref_14","unstructured":"NFC Forum (2017, July 03). Type 1 Tag Operation, ver. 1.2. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/tag-type-technical-specifications\/."},{"key":"ref_15","unstructured":"NFC Forum (2017, July 03). Type 2 Tag Operation, ver. 1.2. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/tag-type-technical-specifications\/."},{"key":"ref_16","unstructured":"NFC Forum (2017, July 03). Type 3 Tag Operation, ver. 1.2. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/tag-type-technical-specifications\/."},{"key":"ref_17","unstructured":"NFC Forum (2017, July 03). Type 4 Tag Operation, ver. 2.0. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/tag-type-technical-specifications\/."},{"key":"ref_18","unstructured":"NFC Forum (2017, July 03). Type 5 Tag Operation, ver. 1.0. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/nfc-forum-technical-specifications\/."},{"key":"ref_19","unstructured":"NFC Forum (2017, July 03). NFC Data Exchange Format (NDEF), ver. 1.0. Available online: http:\/\/nfc-forum.org\/our-work\/specifications-and-application-documents\/specifications\/data-exchange-format-technical-specification\/."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Murdoch, S.J., Drimer, S., Anderson, R., and Bond, M. (2010, January 16\u201319). Chip and PIN is Broken. Proceedings of the IEEE Symposium on Security and Privacy, Berkeley\/Oakland, CA, USA.","DOI":"10.1109\/SP.2010.33"},{"key":"ref_21","first-page":"155","article-title":"Leakage-Resilient Authenticated Key Establishment Protocols","volume":"Volume 2894","author":"Shin","year":"2003","journal-title":"Proceedings of the Advances in Cryptology (ASIACRYPT 2003), 9th International Conference on the Theory and Application of Cryptology and Information Security"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1080\/09720529.2009.10698224","article-title":"Provably secure key establishment protocol using one-way functions","volume":"12","author":"Sahaa","year":"2009","journal-title":"J. Discret. Math. Sci. Cryptogr."},{"key":"ref_23","unstructured":"M\u2019Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and Ranen, O. (2017, July 03). Available online: https:\/\/tools.ietf.org\/html\/rfc4226."},{"key":"ref_24","unstructured":"Wu, T. (, January March). The Secure Remote Password Protocol. Proceedings of the Network and Distributed System Security Symposium (NDSS 1998), San Diego, CA, USA. Available online: http:\/\/www.isoc.org\/isoc\/conferences\/ndss\/98\/wu.pdf."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Oswald, D., and Paar, C. (October, January 28). Breaking Mifare DESFire MF3ICD40: Power Analysis and Templates in the Real World. Proceedings of the Cryptographic Hardware and Embedded Systems (CHES 2011), Nara, Japan. LNCS.","DOI":"10.1007\/978-3-642-23951-9_14"}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/8\/3\/81\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T18:41:46Z","timestamp":1760208106000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/8\/3\/81"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,6]]},"references-count":25,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2017,9]]}},"alternative-id":["info8030081"],"URL":"https:\/\/doi.org\/10.3390\/info8030081","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2017,7,6]]}}}