SAM-PAY: A Location-Based Authentication Method for Mobile Environments

Wireless, satellite, and mobile networks are increasingly used in application scenarios to provide advanced services to mobile or nomadic devices. For example, to authenticate mobile users while obtaining access to remote services, a two-factor authentication mechanism is typically used, e.g., based on the ownership of a personal mobile phone, device, or (smart)card and the knowledge of a (static) username and password. Nevertheless, two-factor authentication is considered roughly "adequate" for security problems encountered today on the Internet and even less for ubiquitous or mobile environments. To increase the authentication level, several authentication methods of different classes may be combined to achieve more reliable user identification. In particular, location technologies allow ubiquitous applications to better exploit the (physical) location information in the authentication process. Consequently, in security applications based on multiple authentication factors, an additional authentication factor could be the location information protected for integrity against undesired modification. We present the SAM-PAY authentication method, which combines different authentication factors to obtain a more reliable user identification. The mechanism is based on the use of a (location-aware) device, the location information certified by a trusted external party, such as a component or element in a telecom network, and the knowledge of data, like a static PIN and a dynamically generated one-time password. We also describe the design and implementation of a real case scenario exploiting our SAM-PAY method, namely the refueling service at a self-service gas station. The test-bed put in place for this service demonstrates the feasibility and effectiveness of the SAM-PAY method in open mobile environments.