Access Security for Automotive and Mobility Services
Why you need access security for automotive and mobility services
A number of vehicle features and controls are now accessible via mobile Apps. It includes door locks, engine start, driver’s registration to a vehicle – to adjust comfort and entertainment preferences, to match to an insured driver’s profile, to match to a fleet driver’s profile, etc. This is true for the user’s own car, but also for fleet or shared vehicles, rental cars or bikes, autonomous cars. These features and controls need to be provided by the vehicle, whether or not it has cloud connectivity, and whether or not the user’s smartphone – a smarter key – has network connectivity. This virtual key needs both to be convenient to use – since we’re now used to open a door of a vehicle only by approaching a badge – and secure.
The access security question is new. Previously, a key or badge was the answer. If you had rented a car, you would go to the rental station. Your credentials would be checked there, and the key given to you thereupon. Car sharing services would provide you a badge after a face-to-face registration process. And so on. Now that keys are being replaced by rights downloaded to smartphones, new questions arise, such has how to provide the virtual key to the right person, how to protect the virtual key at rest, in transit, and in use, and how to make sure that it can only be used in the context that it was issued for – in particular if the vehicle has no cloud connectivity at the time the user wants to access it. There are 2 pitfalls here: failing to enforce access security, resulting in financial losses and safety issues. And enforcing access security at the cost of user convenience.
Features and controls provided by the vehicle are not the only area of concern. Vehicles are getting connected. This means that they can be accessed remotely; unauthorized access must be strictly prevented since someone taking control of a vehicle can do absolutely everything with it, from turning off the radio to deactivate the brakes. Also, drivers and passengers now access cloud-based services and applications directly from the vehicle and can therefore buy, pay, book, and make any kind of transactions. Protecting access to and from the vehicle requires mutual authentication of the vehicle –
and possibly its passengers – and of the cloud controlling it. Convenience and security are, here again, the 2 objectives to balance.
inWebo access security for automotive and mobility services
Our solution consists of 2 components that can be used separately or combined, depending on the use cases:
- inWebo Remote Authentication: this is used to implement MFA (2-factor authentication) or step-up (2nd factor verification) to access cloud-based services from the car or from other devices such as a smartphone or a laptop. As an example, you can use it to provide secure in-car paymnent, or to deploy secure vehicle software updates. In a 2-factor authentication scenario using inWebo mAccess SDK, the second factor can be a PIN but also something less disruptive such as speaker voice recognition or driving style recognition – see our “Biometry as a second factor” tutorial for more information
- inWebo Local Authorization: this is used to implement access control – typically from a smartphone – to a vehicle’s features such as the one listed above – door locks, engine start, driver registration to the vehicle. The holder of the key is only authorized within the context defined by the platform that has issued the key, there’s no need to have synchronized the vehicle with that platform. Also, the solution supports 3 interaction levels:
- Contactless: it’s enough to bring the smartphone close enough to authorize the user. This can typically be used to unlock the door
- With user validation: the user needs to approve the transaction on his or her smartphone. This can be used as a step-up to prevent attacks trying to extract the key
- With user authentication: the user needs to enter a PIN on his or her smartphone to get approved, or to use a biometric sensor such as a fingerprint sensor. This can be used for critical authorizations such as starting the engine.
It’s your turn. You may
- Evaluate inWebo for free and without commitment for 30 days. This sounds like the procrastinator package but actually MFA and access security are serious topics and no one will blame you for taking your time to make sure that inWebo is the right fit. Note that we have project management, consulting, and integration partners trained in our solutions whom you can ask for an evaluation and a PoC.
- Request a customized demo. We’ll be happy to show and explain the basics of our solution and answer your questions.