Tyfone Inc. is taking smart-card security beyond plastic payment cards with a plan to apply the technology to mobile devices and personal computers.
Its Connected Smart Card chip would allow users to store multiple passwords and other sensitive data locally, rather than in other hardware or cloud-based storage systems, Tyfone announced May 15.
Tyfone plans to market the CSC chip to banks, health care and government agencies prior to introducing it as a retail point of sale and consumer product, says Tyfone CEO Siva Narendra.
Tyfone is currently testing the CSC with various companies, and plans a full rollout of the product in the fourth quarter of 2013.
"The reason for so many data attacks is that the industry still sees storage of passwords and data in central locations, with the key to that storage right next to it," Narendra says.
"Data and transactions are moving to the cloud, which changes the methodology, but it is still storing passwords and data centrally."
About 90% of current passwords are vulnerable, Narendra says. "Central storage of data and access to it is real life now, but security has not kept up with it," he adds.
The CSC, a microchip with EMV smart-card applications, can take forms such as a microSD card to plug into mobile devices and personal computers. Once a user establishes passwords and IDs onto the chip, there is no need to frequently change the passwords, Narendra says.
"A single attack cannot compromise millions of passwords with CSC in place," Narendra says.
Smart cards have been deployed for several years and Tyfone wants to leverage that investment with a microchip that works in many form factors, says Don Bloodworth, chief financial officer for Tyfone.
"What really matters is having a global standard because, by 2017, smart cards will be everywhere," Bloodworth says. "We need a piece of hardware to bring online and offline together, and the CSC does that by plugging into a phone or PC for mobile or online payments."
Banks and other companies are likely to find the CSC concept a welcome security upgrade because the username-and-password combination "is broken as an authenticator at this point," says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
The only real value for usernames and passwords is as a database lookup mechanism, Conroy says.
Still, Tyfone may find it difficult to change consumer behavior with the CSC on a large scale, she adds.
"I see this solution as less fit for the mass public, and more applicable in a [business] environment, as a securing logon access for employees, or securing access to online banking for wholesale banking clients," Conroy says.
Issuers will be able to provide smart-card chip credentials over a wired or wireless remote network through Tyfone's technology, Bloodworth says. As such, consumers would issue a request to the ID issuer to provide credentials, rather than enter credentials themselves. The process is completed through Tyfone's independent secure element manager, Bloodworth adds.
"All the consumer has to do is download the appropriate app, much like they do today, and the ID will be provisioned automatically upon consumer approval," Bloodworth says.
A consumer could add various passwords and IDs on a CSC chip, including credit and debit card credentials, facilities access, health-care information and cloud access.
When a consumer uses CSC embedded in a keychain or wristband, the chip would integrate with Bluetooth or Near Field Communication technology for contactless transactions, Bloodworth says.
The CSC can hold passwords or other identifiers, such as fingerprint scans.
"The use of biometrics is great as a unique identifier, but they still have to be converted into digital certificates," Bloodworth says. "Having 20 million biometric scans in the cloud is not a good idea." Having one biometric scan on a CSC is better, he says.